Showing preview only (1,826K chars total). Download the full file or copy to clipboard to get everything.
Repository: falcosecurity/falco
Branch: master
Commit: 07d627a8e6a6
Files: 276
Total size: 1.7 MB
Directory structure:
gitextract_4qc7e9o1/
├── .circleci/
│ └── OWNERS
├── .clang-format
├── .clang-format-ignore
├── .cmake-format.json
├── .codespellignore
├── .dockerignore
├── .git-blame-ignore-revs
├── .github/
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── dependabot.yml
│ ├── release_template.md
│ └── workflows/
│ ├── bump-libs.yaml
│ ├── ci.yml
│ ├── codeql.yaml
│ ├── codespell.yml
│ ├── engine-version-weakcheck.yaml
│ ├── format.yaml
│ ├── insecure-api.yaml
│ ├── master.yaml
│ ├── release.yaml
│ ├── reusable_build_dev.yaml
│ ├── reusable_build_docker.yaml
│ ├── reusable_build_packages.yaml
│ ├── reusable_fetch_version.yaml
│ ├── reusable_publish_docker.yaml
│ ├── reusable_publish_packages.yaml
│ ├── reusable_test_packages.yaml
│ ├── scorecard.yaml
│ └── staticanalysis.yaml
├── .gitignore
├── .gitmodules
├── .pre-commit-config.yaml
├── .yamllint.conf
├── ADOPTERS.md
├── CHANGELOG.md
├── CMakeLists.txt
├── COPYING
├── Contributing.md
├── LICENSE
├── Makefile
├── OWNERS
├── README.md
├── RELEASE.md
├── brand/
│ └── README.md
├── cmake/
│ ├── cpack/
│ │ ├── CMakeCPackOptions.cmake
│ │ └── debian/
│ │ └── conffiles
│ └── modules/
│ ├── CPackConfig.cmake
│ ├── CompilerFlags.cmake
│ ├── Coverage.cmake
│ ├── cares.cmake
│ ├── copy_files_to_build_dir.cmake
│ ├── cpp-httplib.cmake
│ ├── curl.cmake
│ ├── cxxopts.cmake
│ ├── driver-repo/
│ │ └── CMakeLists.txt
│ ├── driver.cmake
│ ├── falco-version.cmake
│ ├── falcoctl.cmake
│ ├── falcosecurity-libs-repo/
│ │ └── CMakeLists.txt
│ ├── falcosecurity-libs.cmake
│ ├── gperftools.cmake
│ ├── jemalloc.cmake
│ ├── mimalloc.cmake
│ ├── njson.cmake
│ ├── openssl.cmake
│ ├── rules.cmake
│ ├── static-analysis.cmake
│ └── yaml-cpp.cmake
├── config/
│ ├── falco.container_plugin.yaml
│ └── falco.iso8601_timeformat.yaml
├── docker/
│ ├── OWNERS
│ ├── README.md
│ ├── docker-compose/
│ │ ├── README.md
│ │ ├── config/
│ │ │ └── http_output.yml
│ │ └── docker-compose.yaml
│ ├── driver-loader/
│ │ ├── Dockerfile
│ │ └── docker-entrypoint.sh
│ ├── driver-loader-buster/
│ │ ├── Dockerfile
│ │ └── docker-entrypoint.sh
│ ├── falco/
│ │ └── Dockerfile
│ └── falco-debian/
│ └── Dockerfile
├── falco.yaml
├── proposals/
│ ├── 20190826-grpc-outputs.md
│ ├── 20190909-psp-rules-support.md
│ ├── 20191030-api.md
│ ├── 20191217-rules-naming-convention.md
│ ├── 20200506-artifacts-scope-part-1.md
│ ├── 20200506-artifacts-scope-part-2.md
│ ├── 20200818-artifacts-storage.md
│ ├── 20200828-structured-exception-handling.md
│ ├── 20200901-artifacts-cleanup.md
│ ├── 20201025-drivers-storage-s3.md
│ ├── 20210119-libraries-contribution.md
│ ├── 20210501-plugin-system.md
│ ├── 20221129-artifacts-distribution.md
│ ├── 20230511-roadmap-management.md
│ ├── 20230620-anomaly-detection-framework.md
│ ├── 20231220-features-adoption-and-deprecation.md
│ ├── 20251205-multi-thread-falco-design.md
│ └── 20251215-legacy-bpf-grpc-output-gvisor-engine-deprecation.md
├── scripts/
│ ├── CMakeLists.txt
│ ├── debian/
│ │ ├── postinst.in
│ │ ├── postrm.in
│ │ └── prerm.in
│ ├── description.txt
│ ├── falcoctl/
│ │ └── falcoctl.yaml.in
│ ├── publish-bin
│ ├── publish-deb
│ ├── publish-rpm
│ ├── publish-wasm
│ ├── rpm/
│ │ ├── postinstall.in
│ │ ├── postuninstall.in
│ │ └── preuninstall.in
│ └── systemd/
│ ├── falco-custom.service
│ ├── falco-kmod-inject.service
│ ├── falco-kmod.service
│ ├── falco-modern-bpf.service
│ └── falcoctl-artifact-follow.service
├── semgrep/
│ ├── insecure-api-gets.yaml
│ ├── insecure-api-sprintf-vsprintf.yaml
│ ├── insecure-api-strcpy-stpcpy-strcat.yaml
│ └── insecure-api-strn.yaml
├── tools/
│ └── local_hooks/
│ └── dco-pre-commit-msg.sh
├── unit_tests/
│ ├── CMakeLists.txt
│ ├── README.md
│ ├── engine/
│ │ ├── test_add_source.cpp
│ │ ├── test_alt_rule_loader.cpp
│ │ ├── test_enable_rule.cpp
│ │ ├── test_extra_output.cpp
│ │ ├── test_falco_utils.cpp
│ │ ├── test_filter_details_resolver.cpp
│ │ ├── test_filter_macro_resolver.cpp
│ │ ├── test_filter_warning_resolver.cpp
│ │ ├── test_plugin_requirements.cpp
│ │ ├── test_rule_loader.cpp
│ │ └── test_rulesets.cpp
│ ├── falco/
│ │ ├── app/
│ │ │ └── actions/
│ │ │ ├── app_action_helpers.h
│ │ │ ├── test_configure_interesting_sets.cpp
│ │ │ ├── test_configure_syscall_buffer_num.cpp
│ │ │ ├── test_load_config.cpp
│ │ │ └── test_select_event_sources.cpp
│ │ ├── test_atomic_signal_handler.cpp
│ │ ├── test_capture.cpp
│ │ ├── test_configs/
│ │ │ ├── engine_kmod_config.yaml
│ │ │ └── engine_modern_config.yaml
│ │ ├── test_configuration.cpp
│ │ ├── test_configuration_config_files.cpp
│ │ ├── test_configuration_env_vars.cpp
│ │ ├── test_configuration_output_options.cpp
│ │ ├── test_configuration_rule_selection.cpp
│ │ └── test_configuration_schema.cpp
│ ├── falco_test_var.h.in
│ ├── test_falco_engine.cpp
│ └── test_falco_engine.h
└── userspace/
├── engine/
│ ├── CMakeLists.txt
│ ├── OWNERS
│ ├── evttype_index_ruleset.cpp
│ ├── evttype_index_ruleset.h
│ ├── falco_common.cpp
│ ├── falco_common.h
│ ├── falco_engine.cpp
│ ├── falco_engine.h
│ ├── falco_engine_version.h
│ ├── falco_load_result.cpp
│ ├── falco_load_result.h
│ ├── falco_rule.h
│ ├── falco_source.h
│ ├── falco_utils.cpp
│ ├── falco_utils.h
│ ├── field_formatter.cpp
│ ├── field_formatter.h
│ ├── filter_details_resolver.cpp
│ ├── filter_details_resolver.h
│ ├── filter_macro_resolver.cpp
│ ├── filter_macro_resolver.h
│ ├── filter_ruleset.cpp
│ ├── filter_ruleset.h
│ ├── filter_warning_resolver.cpp
│ ├── filter_warning_resolver.h
│ ├── formats.cpp
│ ├── formats.h
│ ├── indexable_ruleset.h
│ ├── indexed_vector.h
│ ├── logger.cpp
│ ├── logger.h
│ ├── output_format.h
│ ├── rule_json_schema.h
│ ├── rule_loader.cpp
│ ├── rule_loader.h
│ ├── rule_loader_collector.cpp
│ ├── rule_loader_collector.h
│ ├── rule_loader_compile_output.h
│ ├── rule_loader_compiler.cpp
│ ├── rule_loader_compiler.h
│ ├── rule_loader_reader.cpp
│ ├── rule_loader_reader.h
│ ├── rule_loading_messages.h
│ ├── stats_manager.cpp
│ ├── stats_manager.h
│ └── yaml_helper.h
└── falco/
├── CMakeLists.txt
├── app/
│ ├── actions/
│ │ ├── actions.h
│ │ ├── cleanup_outputs.cpp
│ │ ├── close_inspectors.cpp
│ │ ├── configure_interesting_sets.cpp
│ │ ├── configure_syscall_buffer_num.cpp
│ │ ├── configure_syscall_buffer_size.cpp
│ │ ├── create_signal_handlers.cpp
│ │ ├── event_formatter.cpp
│ │ ├── event_formatter.h
│ │ ├── helpers.h
│ │ ├── helpers_generic.cpp
│ │ ├── helpers_inspector.cpp
│ │ ├── init_falco_engine.cpp
│ │ ├── init_inspectors.cpp
│ │ ├── init_outputs.cpp
│ │ ├── list_fields.cpp
│ │ ├── list_plugins.cpp
│ │ ├── load_config.cpp
│ │ ├── load_plugins.cpp
│ │ ├── load_rules_files.cpp
│ │ ├── pidfile.cpp
│ │ ├── print_config_schema.cpp
│ │ ├── print_generated_gvisor_config.cpp
│ │ ├── print_help.cpp
│ │ ├── print_ignored_events.cpp
│ │ ├── print_kernel_version.cpp
│ │ ├── print_page_size.cpp
│ │ ├── print_plugin_info.cpp
│ │ ├── print_rule_schema.cpp
│ │ ├── print_support.cpp
│ │ ├── print_syscall_events.cpp
│ │ ├── print_version.cpp
│ │ ├── process_events.cpp
│ │ ├── select_event_sources.cpp
│ │ ├── start_webserver.cpp
│ │ └── validate_rules_files.cpp
│ ├── app.cpp
│ ├── app.h
│ ├── options.cpp
│ ├── options.h
│ ├── restart_handler.cpp
│ ├── restart_handler.h
│ ├── run_result.h
│ ├── signals.h
│ └── state.h
├── atomic_signal_handler.h
├── config_falco.h.in
├── config_json_schema.h
├── configuration.cpp
├── configuration.h
├── event_drops.cpp
├── event_drops.h
├── falco.cpp
├── falco_metrics.cpp
├── falco_metrics.h
├── falco_outputs.cpp
├── falco_outputs.h
├── falco_semaphore.h
├── outputs.h
├── outputs_file.cpp
├── outputs_file.h
├── outputs_http.cpp
├── outputs_http.h
├── outputs_program.cpp
├── outputs_program.h
├── outputs_stdout.cpp
├── outputs_stdout.h
├── outputs_syslog.cpp
├── outputs_syslog.h
├── stats_writer.cpp
├── stats_writer.h
├── versions_info.cpp
├── versions_info.h
├── watchdog.h
├── webserver.cpp
└── webserver.h
================================================
FILE CONTENTS
================================================
================================================
FILE: .circleci/OWNERS
================================================
emeritus_approvers:
- jonahjon
================================================
FILE: .clang-format
================================================
Language: Cpp
BasedOnStyle: Google
AccessModifierOffset: -4
BreakBeforeBraces: Attach
AllowAllArgumentsOnNextLine: false
AllowAllConstructorInitializersOnNextLine: false
AllowAllParametersOfDeclarationOnNextLine: false
AllowShortFunctionsOnASingleLine: Inline
AllowShortIfStatementsOnASingleLine: Never
AllowShortLoopsOnASingleLine: false
BinPackArguments: false
BinPackParameters: false
ColumnLimit: 100
DerivePointerBinding: false
IndentCaseLabels: false
IndentWidth: 4
SpaceAfterTemplateKeyword: false
TabWidth: 4
UseTab: ForIndentation
BreakConstructorInitializers: AfterColon
ConstructorInitializerIndentWidth: 8
ContinuationIndentWidth: 8
DerivePointerAlignment: true
SortIncludes: Never
SpaceBeforeCtorInitializerColon: false
SpaceBeforeParens: Never
InsertNewlineAtEOF: true
---
Language: Proto
DisableFormat: true
---
Language: JavaScript
DisableFormat: true
---
Language: Java
DisableFormat: true
================================================
FILE: .clang-format-ignore
================================================
# These files contain some JSON schema definitions that are not C++ code
userspace/falco/config_json_schema.h
userspace/engine/rule_json_schema.h
================================================
FILE: .cmake-format.json
================================================
{
"_help_format": "Options affecting formatting.",
"format": {
"_help_disable": [
"Disable formatting entirely, making cmake-format a no-op"
],
"disable": false,
"_help_line_width": [
"How wide to allow formatted cmake files"
],
"line_width": 100,
"_help_tab_size": [
"How many spaces to tab for indent"
],
"tab_size": 4,
"_help_use_tabchars": [
"If true, lines are indented using tab characters (utf-8",
"0x09) instead of <tab_size> space characters (utf-8 0x20).",
"In cases where the layout would require a fractional tab",
"character, the behavior of the fractional indentation is",
"governed by <fractional_tab_policy>"
],
"use_tabchars": true,
"_help_fractional_tab_policy": [
"If <use_tabchars> is True, then the value of this variable",
"indicates how fractional indentions are handled during",
"whitespace replacement. If set to 'use-space', fractional",
"indentation is left as spaces (utf-8 0x20). If set to",
"`round-up` fractional indentation is replaced with a single",
"tab character (utf-8 0x09) effectively shifting the column",
"to the next tabstop"
],
"fractional_tab_policy": "use-space",
"_help_max_subgroups_hwrap": [
"If an argument group contains more than this many sub-groups",
"(parg or kwarg groups) then force it to a vertical layout."
],
"max_subgroups_hwrap": 2,
"_help_max_pargs_hwrap": [
"If a positional argument group contains more than this many",
"arguments, then force it to a vertical layout."
],
"max_pargs_hwrap": 6,
"_help_max_rows_cmdline": [
"If a cmdline positional group consumes more than this many",
"lines without nesting, then invalidate the layout (and nest)"
],
"max_rows_cmdline": 2,
"_help_separate_ctrl_name_with_space": [
"If true, separate flow control names from their parentheses",
"with a space"
],
"separate_ctrl_name_with_space": false,
"_help_separate_fn_name_with_space": [
"If true, separate function names from parentheses with a",
"space"
],
"separate_fn_name_with_space": false,
"_help_dangle_parens": [
"If a statement is wrapped to more than one line, than dangle",
"the closing parenthesis on its own line."
],
"dangle_parens": true,
"_help_dangle_align": [
"If the trailing parenthesis must be 'dangled' on its on",
"line, then align it to this reference: `prefix`: the start",
"of the statement, `prefix-indent`: the start of the",
"statement, plus one indentation level, `child`: align to",
"the column of the arguments"
],
"dangle_align": "prefix",
"_help_min_prefix_chars": [
"If the statement spelling length (including space and",
"parenthesis) is smaller than this amount, then force reject",
"nested layouts."
],
"min_prefix_chars": 4,
"_help_max_prefix_chars": [
"If the statement spelling length (including space and",
"parenthesis) is larger than the tab width by more than this",
"amount, then force reject un-nested layouts."
],
"max_prefix_chars": 10,
"_help_max_lines_hwrap": [
"If a candidate layout is wrapped horizontally but it exceeds",
"this many lines, then reject the layout."
],
"max_lines_hwrap": 2,
"_help_line_ending": [
"What style line endings to use in the output."
],
"line_ending": "unix",
"_help_command_case": [
"Format command names consistently as 'lower' or 'upper' case"
],
"command_case": "canonical",
"_help_keyword_case": [
"Format keywords consistently as 'lower' or 'upper' case"
],
"keyword_case": "unchanged",
"_help_always_wrap": [
"A list of command names which should always be wrapped"
],
"always_wrap": [],
"_help_enable_sort": [
"If true, the argument lists which are known to be sortable",
"will be sorted lexicographicall"
],
"enable_sort": true,
"_help_autosort": [
"If true, the parsers may infer whether or not an argument",
"list is sortable (without annotation)."
],
"autosort": false,
"_help_require_valid_layout": [
"By default, if cmake-format cannot successfully fit",
"everything into the desired linewidth it will apply the",
"last, most agresive attempt that it made. If this flag is",
"True, however, cmake-format will print error, exit with non-",
"zero status code, and write-out nothing"
],
"require_valid_layout": false,
"_help_layout_passes": [
"A dictionary mapping layout nodes to a list of wrap",
"decisions. See the documentation for more information."
],
"layout_passes": {}
},
"_help_markup": "Options affecting comment reflow and formatting.",
"markup": {
"_help_bullet_char": [
"What character to use for bulleted lists"
],
"bullet_char": "*",
"_help_enum_char": [
"What character to use as punctuation after numerals in an",
"enumerated list"
],
"enum_char": ".",
"_help_first_comment_is_literal": [
"If comment markup is enabled, don't reflow the first comment",
"block in each listfile. Use this to preserve formatting of",
"your copyright/license statements."
],
"first_comment_is_literal": false,
"_help_literal_comment_pattern": [
"If comment markup is enabled, don't reflow any comment block",
"which matches this (regex) pattern. Default is `None`",
"(disabled)."
],
"literal_comment_pattern": null,
"_help_fence_pattern": [
"Regular expression to match preformat fences in comments",
"default= ``r'^\\s*([`~]{3}[`~]*)(.*)$'``"
],
"fence_pattern": "^\\s*([`~]{3}[`~]*)(.*)$",
"_help_ruler_pattern": [
"Regular expression to match rulers in comments default=",
"``r'^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$'``"
],
"ruler_pattern": "^\\s*[^\\w\\s]{3}.*[^\\w\\s]{3}$",
"_help_explicit_trailing_pattern": [
"If a comment line matches starts with this pattern then it",
"is explicitly a trailing comment for the preceding",
"argument. Default is '#<'"
],
"explicit_trailing_pattern": "#<",
"_help_hashruler_min_length": [
"If a comment line starts with at least this many consecutive",
"hash characters, then don't lstrip() them off. This allows",
"for lazy hash rulers where the first hash char is not",
"separated by space"
],
"hashruler_min_length": 10,
"_help_canonicalize_hashrulers": [
"If true, then insert a space between the first hash char and",
"remaining hash chars in a hash ruler, and normalize its",
"length to fill the column"
],
"canonicalize_hashrulers": true,
"_help_enable_markup": [
"enable comment markup parsing and reflow"
],
"enable_markup": true
},
"_help_lint": "Options affecting the linter",
"lint": {
"_help_disabled_codes": [
"a list of lint codes to disable"
],
"disabled_codes": [],
"_help_function_pattern": [
"regular expression pattern describing valid function names"
],
"function_pattern": "[0-9a-z_]+",
"_help_macro_pattern": [
"regular expression pattern describing valid macro names"
],
"macro_pattern": "[0-9A-Z_]+",
"_help_global_var_pattern": [
"regular expression pattern describing valid names for",
"variables with global (cache) scope"
],
"global_var_pattern": "[A-Z][0-9A-Z_]+",
"_help_internal_var_pattern": [
"regular expression pattern describing valid names for",
"variables with global scope (but internal semantic)"
],
"internal_var_pattern": "_[A-Z][0-9A-Z_]+",
"_help_local_var_pattern": [
"regular expression pattern describing valid names for",
"variables with local scope"
],
"local_var_pattern": "[a-z][a-z0-9_]+",
"_help_private_var_pattern": [
"regular expression pattern describing valid names for",
"privatedirectory variables"
],
"private_var_pattern": "_[0-9a-z_]+",
"_help_public_var_pattern": [
"regular expression pattern describing valid names for public",
"directory variables"
],
"public_var_pattern": "[A-Z][0-9A-Z_]+",
"_help_argument_var_pattern": [
"regular expression pattern describing valid names for",
"function/macro arguments and loop variables."
],
"argument_var_pattern": "[a-z][a-z0-9_]+",
"_help_keyword_pattern": [
"regular expression pattern describing valid names for",
"keywords used in functions or macros"
],
"keyword_pattern": "[A-Z][0-9A-Z_]+",
"_help_max_conditionals_custom_parser": [
"In the heuristic for C0201, how many conditionals to match",
"within a loop in before considering the loop a parser."
],
"max_conditionals_custom_parser": 2,
"_help_min_statement_spacing": [
"Require at least this many newlines between statements"
],
"min_statement_spacing": 1,
"_help_max_statement_spacing": [
"Require no more than this many newlines between statements"
],
"max_statement_spacing": 2,
"max_returns": 6,
"max_branches": 12,
"max_arguments": 5,
"max_localvars": 15,
"max_statements": 50
}
}
================================================
FILE: .codespellignore
================================================
aks
creat
chage
ro
================================================
FILE: .dockerignore
================================================
*
!config/
!docker/
================================================
FILE: .git-blame-ignore-revs
================================================
# This commit formatted the Falco code for the first time.
50b98b30e588eadce641136da85bc94a60eb6a3d
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines in the https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md file.
2. Please label this pull request according to what type of issue you are addressing.
3. Please add a release note!
4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
-->
**What type of PR is this?**
> Uncomment one (or more) `/kind <>` lines:
> /kind bug
> /kind cleanup
> /kind design
> /kind documentation
> /kind failing-test
> /kind feature
> /kind release
<!--
Please remove the leading whitespace before the `/kind <>` you uncommented.
-->
**Any specific area of the project related to this PR?**
> Uncomment one (or more) `/area <>` lines:
> /area build
> /area engine
> /area tests
> /area proposals
> /area CI
<!--
Please remove the leading whitespace before the `/area <>` you uncommented.
-->
**What this PR does / why we need it**:
**Which issue(s) this PR fixes**:
<!--
Automatically closes linked issue when PR is merged.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
If PR is `kind/failing-tests` or `kind/flaky-test`, please post the related issues/tests in a comment and do not use `Fixes`.
-->
Fixes #
**Special notes for your reviewer**:
**Does this PR introduce a user-facing change?**:
<!--
If NO, just write "NONE" in the release-note block below.
If YES, a release note is required, enter your release note in the block below.
The convention is the same as for commit messages: https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md#commit-convention
If the PR introduces non-backward compatible changes, please add a line starting with "BREAKING CHANGE:" and describe what changed.
For example, `BREAKING CHANGE: the API interface of the rule engine has changed`.
Your note will be included in the changelog.
-->
```release-note
```
================================================
FILE: .github/dependabot.yml
================================================
#
# Copyright (C) 2023 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
version: 2
updates:
- package-ecosystem: gitsubmodule
schedule:
interval: "daily"
directory: /
================================================
FILE: .github/release_template.md
================================================
[](https://github.com/falcosecurity/libs/releases/tag/LIBSVER)
[](https://github.com/falcosecurity/libs/releases/tag/DRIVERVER)
| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm-x86_64 | [](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm) |
| deb-x86_64 | [](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
| tgz-x86_64 | [](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
| tgz-static-x86_64 | [](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-static-x86_64.tar.gz) |
| rpm-aarch64 | [](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm) |
| deb-aarch64 | [](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
| tgz-aarch64 | [](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
| Images |
|---------------------------------------------------------------------------|
| `docker pull docker.io/falcosecurity/falco:FALCOVER` |
| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER` |
| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER-buster` |
| `docker pull docker.io/falcosecurity/falco:FALCOVER-debian` |
================================================
FILE: .github/workflows/bump-libs.yaml
================================================
---
name: Bump Libs
on:
workflow_dispatch:
schedule:
- cron: '30 6 * * 1' # on each monday 6:30
permissions:
contents: read
# Checks if any concurrent jobs is running for kernels CI and eventually cancel it.
concurrency:
group: bump-libs-ci
cancel-in-progress: true
jobs:
bump-libs:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Download libs master tar.gz
run: |
wget https://github.com/falcosecurity/libs/archive/refs/heads/master.tar.gz
- name: Store libs hash and shasum
id: store
run: |
gunzip -c master.tar.gz > master.tar
commit=$(cat master.tar | git get-tar-commit-id)
echo "COMMIT=$commit" >> "$GITHUB_OUTPUT"
wget https://github.com/falcosecurity/libs/archive/$commit.tar.gz
echo "SHASUM=$(sha256sum $commit.tar.gz | awk '{print $1}')" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
path: falco
- name: Bump libs version and hash
run: |
cd falco
sed -i -E '45s/FALCOSECURITY_LIBS_VERSION "(.+)"/FALCOSECURITY_LIBS_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/falcosecurity-libs.cmake
sed -i -E '47s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/falcosecurity-libs.cmake
sed -i -E '38s/DRIVER_VERSION "(.+)"/DRIVER_VERSION "${{ steps.store.outputs.COMMIT }}"/' cmake/modules/driver.cmake
sed -i -E '40s/"SHA256=(.+)"/"SHA256=${{ steps.store.outputs.SHASUM }}"/' cmake/modules/driver.cmake
- name: Create Pull Request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
with:
path: falco
signoff: true
base: master
branch: update/libs
title: 'update(cmake): update libs and driver to latest master'
body: |
This PR updates libs and driver to latest commit.
/kind release
/area build
```release-note
NONE
```
commit-message: 'update(cmake): update libs and driver to latest master.'
token: ${{ secrets.GITHUB_TOKEN }}
================================================
FILE: .github/workflows/ci.yml
================================================
name: CI Build
on:
pull_request:
branches:
- master
- release/*
workflow_dispatch:
# Checks if any concurrent jobs under the same pull request or branch are being executed
# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name)
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
contents: read
jobs:
fetch-version:
uses: ./.github/workflows/reusable_fetch_version.yaml
build-dev-packages-x86_64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ needs.fetch-version.outputs.version }}
enable_debug: true
enable_sanitizers: true
use_mimalloc: true
build-dev-packages-arm64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
enable_debug: true
use_mimalloc: true
test-dev-packages:
needs: [fetch-version, build-dev-packages-x86_64]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# sanitizers: ${{ matrix.static == '' && true || false }}
sanitizers: true
# static: ${{ matrix.static != '' && true || false }}
version: ${{ needs.fetch-version.outputs.version }}
test-dev-packages-arm64:
needs: [fetch-version, build-dev-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
build-dev-minimal:
uses: ./.github/workflows/reusable_build_dev.yaml
with:
arch: x86_64
git_ref: ${{ github.event.pull_request.head.sha }}
minimal: true
build_type: Debug
build-dev-minimal-arm64:
uses: ./.github/workflows/reusable_build_dev.yaml
with:
arch: aarch64
git_ref: ${{ github.event.pull_request.head.sha }}
minimal: true
build_type: Debug
# builds using system deps, checking out the PR's code
# note: this also runs a command that generates an output of form: "<engine_version> <some_hash>",
# of which <some_hash> is computed by hashing in order the following:
# - Driver schema version supported by the built-in falcosecurity/libs
# - The supported event types usable in Falco rules (evt.type=xxx)
# - The supported rules fields with their name, type, and description
build-dev:
uses: ./.github/workflows/reusable_build_dev.yaml
with:
arch: x86_64
git_ref: ${{ github.event.pull_request.head.sha }}
minimal: false
sanitizers: true
build_type: Debug
cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"
# checks the falco engine checksum for consistency
check-engine-checksum:
runs-on: ubuntu-latest
needs: [build-dev]
steps:
- name: Checkout PR head ref
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Check Engine checksum
run: |
prev_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
echo "encoded checksum: $prev_hash"
echo "current checksum: $cur_hash"
if [ $prev_hash != $cur_hash ]; then
echo "current engine checksum differs from the one encoded in userspace/engine/falco_engine_version.h"
exit 1
else
echo "current and encoded engine checksum are matching"
fi
# checks the falco engine version and enforce bumping when necessary
check-engine-version:
runs-on: ubuntu-latest
needs: [build-dev]
steps:
- name: Checkout base ref
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ github.base_ref }}
- name: Check Engine version
run: |
base_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
base_engine_ver_major=$(grep ENGINE_VERSION_MAJOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
base_engine_ver_minor=$(grep ENGINE_VERSION_MINOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
base_engine_ver_patch=$(grep ENGINE_VERSION_PATCH "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
base_engine_ver="${base_engine_ver_major}.${base_engine_ver_minor}.${base_engine_ver_patch}"
cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
cur_engine_ver=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 1)
echo "baseref checksum: $base_hash"
echo "baseref engine version: $base_engine_ver"
echo "headref checksum: $cur_hash"
echo "headref engine version: $cur_engine_ver"
if [ "$base_hash" != "$cur_hash" ]; then
echo "engine checksum for baseref and headref differ"
if [ "$base_engine_ver" == "$cur_engine_ver" ]; then
echo "engine version must be bumped"
exit 1
else
echo "engine version for baseref and headref differ too, so no bump is required"
fi
fi
================================================
FILE: .github/workflows/codeql.yaml
================================================
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-22.04
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'cpp' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- name: Update base image
run: sudo apt update -y
- name: Install build dependencies
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libyaml-cpp-dev rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
- name: Prepare project
run: |
cmake -B build -S . -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
- name: Build
run: |
KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
================================================
FILE: .github/workflows/codespell.yml
================================================
name: Codespell
on:
pull_request:
permissions:
contents: read
jobs:
codespell:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0
with:
skip: .git
ignore_words_file: .codespellignore
check_filenames: true
check_hidden: false
================================================
FILE: .github/workflows/engine-version-weakcheck.yaml
================================================
# NOTE: it is UNSAFE to run ANY kind of script when using the pull_request_target trigger!
# DO NOT TOUCH THIS FILE UNLESS THE TRIGGER IS CHANGED.
# See warning in https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
name: Engine version checks (weak)
on:
pull_request_target:
paths:
- 'userspace/engine/*.cpp'
- 'userspace/engine/*.h'
permissions:
contents: read
jobs:
paths-filter:
runs-on: ubuntu-latest
outputs:
engine_version_changed: ${{ steps.filter.outputs.engine_version }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
with:
filters: |
engine_version:
- 'userspace/engine/falco_engine_version.h'
check-engine-version-weak:
runs-on: ubuntu-22.04
permissions:
pull-requests: write
needs: paths-filter
if: needs.paths-filter.outputs.engine_version_changed == 'false'
steps:
- name: Check driver Falco engine version
uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
with:
message: |
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.
Please double check **userspace/engine/falco_engine_version.h** file. See [versioning for FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-repo-this-repo).
/hold
================================================
FILE: .github/workflows/format.yaml
================================================
name: Format code
on:
pull_request:
push:
branches:
- master
- "release/**"
permissions:
contents: read
jobs:
format:
name: format code 🐲
runs-on: ubuntu-22.04
steps:
- name: Checkout repository 🎉
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo apt update -y
sudo apt install -y --no-install-recommends ca-certificates pip git
pip install pre-commit
- name: Run pre-commit ©️
run: |
pre-commit run --all-files
- name: Generate the git-diff 🚒
if: failure()
run: git diff > format_diff.patch
- name: Upload the git diff artifact 📦
if: failure()
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: format_diff.patch
path: ./format_diff.patch
================================================
FILE: .github/workflows/insecure-api.yaml
================================================
name: Insecure API check
on:
pull_request:
branches:
- master
- 'release/**'
- 'maintainers/**'
permissions:
contents: read
jobs:
insecure-api:
name: check-insecure-api
runs-on: ubuntu-latest
container:
image: semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
steps:
- name: Checkout Falco ⤵️
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Scan PR for insecure API usage 🕵️
run: |
semgrep scan \
--error \
--metrics=off \
--baseline-commit ${{ github.event.pull_request.base.sha }} \
--config=./semgrep
================================================
FILE: .github/workflows/master.yaml
================================================
name: Dev Packages and Docker images
on:
push:
branches: [master]
permissions:
contents: read
# Checks if any concurrent jobs is running for master CI and eventually cancel it
concurrency:
group: ci-master
cancel-in-progress: true
jobs:
fetch-version:
uses: ./.github/workflows/reusable_fetch_version.yaml
build-dev-packages:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit
build-dev-packages-arm64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit
test-dev-packages:
needs: [fetch-version, build-dev-packages]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# static: ${{ matrix.static != '' && true || false }}
version: ${{ needs.fetch-version.outputs.version }}
test-dev-packages-arm64:
needs: [fetch-version, build-dev-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
publish-dev-packages:
needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
uses: ./.github/workflows/reusable_publish_packages.yaml
with:
bucket_suffix: '-dev'
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit
build-dev-docker:
needs: [fetch-version, publish-dev-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: x86_64
bucket_suffix: '-dev'
version: ${{ needs.fetch-version.outputs.version }}
tag: master
secrets: inherit
build-dev-docker-arm64:
needs: [fetch-version, publish-dev-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: aarch64
bucket_suffix: '-dev'
version: ${{ needs.fetch-version.outputs.version }}
tag: master
secrets: inherit
publish-dev-docker:
needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
uses: ./.github/workflows/reusable_publish_docker.yaml
with:
tag: master
secrets: inherit
================================================
FILE: .github/workflows/release.yaml
================================================
name: Release Packages and Docker images
on:
release:
types: [published]
permissions:
contents: read
# Checks if any concurrent jobs is running for release CI and eventually cancel it.
concurrency:
group: ci-release
cancel-in-progress: true
jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
steps:
- name: Get latest release
uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
id: latest_release
env:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
type: "stable"
- name: Get settings for this release
id: get_settings
shell: python
run: |
import os
import re
import sys
semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
tag_name = '${{ github.event.release.tag_name }}'
is_valid_version = re.match(semver_no_meta, tag_name) is not None
if not is_valid_version:
print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
sys.exit(1)
is_prerelease = '-' in tag_name
# Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
bucket_suffix = '-dev' if is_prerelease else ''
with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
print(f'is_latest={is_latest}'.lower(), file=ofp)
print(f'bucket_suffix={bucket_suffix}', file=ofp)
build-packages:
needs: [release-settings]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ github.event.release.tag_name }}
use_jemalloc: true
secrets: inherit
build-packages-arm64:
needs: [release-settings]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}
use_jemalloc: true
secrets: inherit
test-packages:
needs: [release-settings, build-packages]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# static: ${{ matrix.static != '' && true || false }}
version: ${{ github.event.release.tag_name }}
test-packages-arm64:
needs: [release-settings, build-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}
publish-packages:
needs: [release-settings, test-packages, test-packages-arm64]
uses: ./.github/workflows/reusable_publish_packages.yaml
with:
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
secrets: inherit
# Both build-docker and its arm64 counterpart require build-packages because they use its output
build-docker:
needs: [release-settings, build-packages, publish-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: x86_64
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit
build-docker-arm64:
needs: [release-settings, build-packages, publish-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: aarch64
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit
publish-docker:
needs: [release-settings, build-docker, build-docker-arm64]
uses: ./.github/workflows/reusable_publish_docker.yaml
secrets: inherit
with:
is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
tag: ${{ github.event.release.tag_name }}
sign: true
release-body:
needs: [release-settings, publish-docker]
if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Extract LIBS and DRIVER versions
run: |
cp .github/release_template.md release-body.md
LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
- name: Append release matrixes
run: |
sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md
- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md
- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Download debug symbols for Falco x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ github.event.release.tag_name }}-x86_64.debug
- name: Rename x86_64 debug symbols
run: mv falco.debug falco-x86_64.debug
- name: Download debug symbols for Falco aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ github.event.release.tag_name }}-aarch64.debug
- name: Rename aarch64 debug symbols
run: mv falco.debug falco-aarch64.debug
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
name: ${{ github.event.release.name }}
files: |
falco-x86_64.debug
falco-aarch64.debug
================================================
FILE: .github/workflows/reusable_build_dev.yaml
================================================
# This is a reusable workflow used by the master CI
on:
workflow_call:
outputs:
cmdout:
description: "Post-build command output"
value: ${{ jobs.build-and-test.outputs.cmdout }}
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
minimal:
description: Minimal build
required: true
type: boolean
sanitizers:
description: Enable sanitizer support
required: false
default: false
type: boolean
build_type:
description: One of 'Debug' or 'Release'
required: true
type: string
git_ref:
description: Git ref used for checking out the code
required: true
type: string
cmd:
description: If defined, this command is executed after a successful build and its output is set in the `cmdout` output
required: false
default: ''
type: string
permissions:
contents: read
jobs:
build-and-test:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
outputs:
cmdout: ${{ steps.run_cmd.outputs.out }}
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ inputs.git_ref }}
- name: Update base image
run: sudo apt update -y
- name: Install build dependencies
run: sudo DEBIAN_FRONTEND=noninteractive apt install libelf-dev libyaml-cpp-dev cmake build-essential git -y
- name: Install build dependencies (non-minimal)
if: inputs.minimal != true
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
- name: Prepare project
run: |
cmake -B build -S .\
-DBUILD_FALCO_UNIT_TESTS=On \
-DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DBUILD_FALCO_MODERN_BPF=Off \
-DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
-DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
-DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
-DUSE_BUNDLED_DEPS=Off \
-DUSE_BUNDLED_NLOHMANN_JSON=On \
-DUSE_BUNDLED_CXXOPTS=On \
-DUSE_BUNDLED_CPPHTTPLIB=On \
- name: Build
run: |
KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
- name: Run unit tests
run: |
pushd build
sudo ./unit_tests/falco_unit_tests
popd
- name: Run command
id: run_cmd
if: inputs.cmd != ''
run: |
OUT=$(${{ inputs.cmd }})
echo "out=${OUT}" >> $GITHUB_OUTPUT
================================================
FILE: .github/workflows/reusable_build_docker.yaml
================================================
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
bucket_suffix:
description: bucket suffix for packages
required: false
default: ''
type: string
version:
description: The Falco version to use when building images
required: true
type: string
tag:
description: The tag to use (e.g. "master" or "0.35.0")
required: true
type: string
# Here we just build all docker images as tarballs,
# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
# In this way, we don't need to publish any arch specific image,
# and this "build" workflow is actually only building images.
permissions:
contents: read
jobs:
build-docker:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
env:
TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build falco image
run: |
docker build -f docker/falco/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
- name: Build falco-debian image
run: |
docker build -f docker/falco-debian/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
--build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar
- name: Build falco-driver-loader image
run: |
docker build -f docker/driver-loader/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
- name: Build falco-driver-loader-buster image
run: |
docker build -f docker/driver-loader-buster/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
--build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar
- name: Upload images tarballs
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-images-${{ inputs.arch }}
path: /tmp/falco-*.tar
retention-days: 1
================================================
FILE: .github/workflows/reusable_build_packages.yaml
================================================
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
version:
description: The Falco version to use when building packages
required: true
type: string
enable_debug:
description: Also create a debug build
required: false
type: boolean
default: false
enable_sanitizers:
description: Also create a sanitizer build
required: false
type: boolean
default: false
use_jemalloc:
description: Use jemalloc memory allocator
required: false
type: boolean
default: false
use_mimalloc:
description: Use mimalloc memory allocator
required: false
type: boolean
default: false
permissions:
contents: read
jobs:
build-modern-bpf-skeleton:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
container: fedora:41
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Build modern BPF skeleton
run: |
cmake -B skeleton-build -S . \
-DUSE_BUNDLED_DEPS=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }}
cmake --build skeleton-build --target ProbeSkeleton -j6
- name: Upload skeleton
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: skeleton-build/skel_dir/bpf_probe.skel.h
retention-days: 1
build-packages-release:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm alien
- name: Install systemd rpm macros
run: |
wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-59.el9.noarch.rpm
sudo alien -d -i systemd-rpm-macros-252-59.el9.noarch.rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Install zig
if: inputs.sanitizers == false
uses: falcosecurity/libs/.github/actions/install-zig@master
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
- name: Upload Falco deb package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
path: |
${{ github.workspace }}/build/falco-*.deb
- name: Upload Falco rpm package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
path: |
${{ github.workspace }}/build/falco-*.rpm
- name: Upload Falco debug symbols
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.debug
path: |
${{ github.workspace }}/build/userspace/falco/falco.debug
build-packages-debug:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
if: ${{ inputs.enable_debug == true }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Install zig
if: inputs.sanitizers == false
uses: falcosecurity/libs/.github/actions/install-zig@master
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Debug \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}-debug.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
build-packages-sanitizers:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
if: ${{ inputs.enable_sanitizers == true }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Prepare project
# Jemalloc and ASAN don't play very well together.
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Debug \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=Off \
-DUSE_MIMALLOC=Off \
-DUSE_ASAN=On \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}-sanitizers.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
build-musl-package:
# x86_64 only for now
if: ${{ inputs.arch == 'x86_64' }}
runs-on: ubuntu-latest
container: alpine:3.17
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && make install
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DCPACK_GENERATOR=TGZ \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DUSE_BUNDLED_DEPS=On \
-DMUSL_OPTIMIZED_BUILD=On \
-DFALCO_ETC_DIR=/etc/falco \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build -j6
- name: Build packages
run: |
cmake --build build -j6 --target package
- name: Rename static package
run: |
cd build
mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
- name: Upload Falco static package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: |
${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz
build-wasm-package:
if: ${{ inputs.arch == 'x86_64' }}
runs-on: ubuntu-22.04
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
sudo apt update
sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y
- name: Select node version
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 14
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Prepare project
run: |
emcmake cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DBUILD_FALCO_UNIT_TESTS=On \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cd build
emmake make -j6 all
- name: Run unit Tests
run: |
cd build
node ./unit_tests/falco_unit_tests.js
- name: Build packages
run: |
cd build
emmake make -j6 package
- name: Upload Falco WASM package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-wasm.tar.gz
path: |
${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz
build-win32-package:
if: ${{ inputs.arch == 'x86_64' }}
runs-on: windows-latest
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Install NSIS
run: choco install nsis -y
# NOTE: Backslash doesn't work as line continuation on Windows.
- name: Prepare project
run: |
cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target package --config Release
- name: Run unit Tests
run: |
build/unit_tests/Release/falco_unit_tests.exe
- name: Upload Falco win32 installer
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-installer-Release-win32.exe
path: build/falco-*.exe
- name: Upload Falco win32 package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-Release-win32.exe
path: |
${{ github.workspace }}/build/userspace/falco/Release/falco.exe
build-macos-package:
if: ${{ inputs.arch == 'x86_64' }}
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Prepare project
run: |
cmake -B build -S . \
-DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target package
- name: Run unit Tests
run: |
sudo build/unit_tests/falco_unit_tests
- name: Upload Falco macos package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-macos
path: |
${{ github.workspace }}/build/userspace/falco/falco
================================================
FILE: .github/workflows/reusable_fetch_version.yaml
================================================
# This is a reusable workflow used by master and release CI
on:
workflow_call:
outputs:
version:
description: "Falco version"
value: ${{ jobs.fetch-version.outputs.version }}
permissions:
contents: read
jobs:
# We need to use an ubuntu-latest to fetch Falco version because
# Falco version is computed by some cmake scripts that do git sorceries
# to get the current version.
# But centos7 jobs have a git version too old and actions/checkout does not
# fully clone the repo, but uses http rest api instead.
fetch-version:
runs-on: ubuntu-latest
# Map the job outputs to step outputs
outputs:
version: ${{ steps.store_version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Install build dependencies
run: |
sudo apt update
sudo apt install -y cmake build-essential
- name: Configure project
run: |
cmake -B build -S . -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off
- name: Load and store Falco version output
id: store_version
run: |
FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT
================================================
FILE: .github/workflows/reusable_publish_docker.yaml
================================================
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
tag:
description: The tag to push
required: true
type: string
is_latest:
description: Update the latest tag with the new image
required: false
type: boolean
default: false
sign:
description: Add signature with cosign
required: false
type: boolean
default: false
permissions:
contents: read
jobs:
publish-docker:
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
contents: read
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Download x86_64 images tarballs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-images-x86_64
path: /tmp/falco-images
- name: Download aarch64 images tarballs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-images-aarch64
path: /tmp/falco-images
- name: Load all images
run: |
for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_SECRET }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
- name: Login to Amazon ECR
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
with:
registry-type: public
- name: Setup Crane
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
with:
version: v0.15.1
# We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
- name: Push arch-specific images to Docker Hub
run: |
docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian
docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster
docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
- name: Create Falco manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
push: true
- name: Create falco-debian manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
push: true
- name: Create falco-driver-loader manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
push: true
- name: Create falco-driver-loader-buster manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
push: true
- name: Get Digests for images
id: digests
# We could probably use the docker-manifest-action output instead of recomputing those with crane
run: |
echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT
echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT
- name: Publish images to ECR
run: |
crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian
crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
- name: Tag latest on Docker Hub and ECR
if: inputs.is_latest
run: |
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
- name: Setup Cosign
if: inputs.sign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Sign images with cosign
if: inputs.sign
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_YES: "true"
run: |
cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco
subject-digest: ${{ steps.digests.outputs.falco }}
push-to-registry: true
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco-driver-loader
subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
push-to-registry: true
================================================
FILE: .github/workflows/reusable_publish_packages.yaml
================================================
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
version:
description: The Falco version to use when publishing packages
required: true
type: string
bucket_suffix:
description: bucket suffix for packages
required: false
default: ''
type: string
permissions:
id-token: write
contents: read
env:
AWS_S3_REGION: eu-west-1
AWS_CLOUDFRONT_DIST_ID: E1CQNPFWRXLGQD
jobs:
publish-packages:
runs-on: ubuntu-latest
container: docker.io/library/fedora:38
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Install dependencies
run: |
dnf install rpm-sign expect which createrepo gpg python python-pip -y
pip install awscli==1.29.60
# Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
# Note: master CI can only push dev packages as we have 2 different roles for master and release.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
aws-region: ${{ env.AWS_S3_REGION }}
- name: Download RPM x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-x86_64.rpm
path: /tmp/falco-build-rpm
- name: Download RPM aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-aarch64.rpm
path: /tmp/falco-build-rpm
- name: Download binary x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-x86_64.tar.gz
path: /tmp/falco-build-bin
- name: Download binary aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-aarch64.tar.gz
path: /tmp/falco-build-bin
- name: Download static binary x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: /tmp/falco-build-bin-static
- name: Download WASM package
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-wasm.tar.gz
path: /tmp/falco-wasm
- name: Import gpg key
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: printenv GPG_KEY | gpg --import -
- name: Publish wasm
run: |
./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz
- name: Publish rpm
run: |
./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
- name: Publish bin
run: |
./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
- name: Publish static
run: |
./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
publish-packages-deb:
runs-on: ubuntu-latest
container: docker.io/debian:stable
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Install dependencies
run: |
apt update -y
apt-get install apt-utils bzip2 gpg awscli -y
# Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
# Note: master CI can only push dev packages as we have 2 different roles for master and release.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
aws-region: ${{ env.AWS_S3_REGION }}
- name: Download deb x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-x86_64.deb
path: /tmp/falco-build-deb
- name: Download deb aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-aarch64.deb
path: /tmp/falco-build-deb
- name: Import gpg key
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: printenv GPG_KEY | gpg --import -
- name: Publish deb
run: |
./scripts/publish-deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}
================================================
FILE: .github/workflows/reusable_test_packages.yaml
================================================
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
static:
description: Falco packages use a static build
required: false
type: boolean
default: false
version:
description: The Falco version to use when testing packages
required: true
type: string
sanitizers:
description: Use sanitizer enabled build
required: false
default: false
type: boolean
permissions:
contents: read
jobs:
test-packages:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
steps:
- name: Download binary
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
- name: Install Falco package
run: |
ls falco-*.tar.gz
tar -xvf $(ls falco-*.tar.gz)
cd falco-${{ inputs.version }}-${{ inputs.arch }}
sudo cp -r * /
- name: Install kernel headers for falco-driver-loader tests
run: |
sudo apt update -y
sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
# Some builds use sanitizers, we always install support for them so they can run
- name: Install sanitizer support
if: inputs.sanitizers
run: |
sudo apt update -y
sudo apt install -y libasan5 libubsan1
- name: Run tests
env:
LSAN_OPTIONS: "intercept_tls_get_addr=0"
uses: falcosecurity/testing@main
with:
test-falco: 'true'
test-falcoctl: 'true'
test-k8saudit: 'true'
test-dummy: 'true'
static: ${{ inputs.static && 'true' || 'false' }}
test-drivers: 'true'
show-all: 'true'
report-name-suffix: ${{ inputs.static && '-static' || '' }}${{ inputs.sanitizers && '-sanitizers' || '' }}
================================================
FILE: .github/workflows/scorecard.yaml
================================================
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
# Weekly on Mondays at 00:00.
- cron: '0 0 * * 1'
# The OSSF recommendation encourages to enable branch protection rules trigger
# to update the scorecard
# (https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection)
# but due to our GitHub org management this check is triggered too often and is
# therefore disabled.
# branch_protection_rule:
push:
branches: [ "master" ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read
steps:
- name: "Checkout code"
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
with:
sarif_file: results.sarif
================================================
FILE: .github/workflows/staticanalysis.yaml
================================================
name: StaticAnalysis
on:
pull_request:
permissions:
contents: read
jobs:
staticanalysis:
runs-on: ubuntu-22.04
steps:
- name: Checkout ⤵️
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Install build dependencies ⛓️
run: |
sudo apt update -y
sudo apt install build-essential git cppcheck cmake -y
- name: Build and run cppcheck 🏎️
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE="release" \
-DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_DRIVER=Off
cmake --build build -j4 --target cppcheck
cmake --build build -j4 --target cppcheck_htmlreport
- name: Upload reports ⬆️
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: static-analysis-reports
path: ./build/static-analysis-reports
================================================
FILE: .gitignore
================================================
/build*
*~
*.pyc
.vscode/*
*.idea*
CMakeUserPresets.json
================================================
FILE: .gitmodules
================================================
[submodule "submodules/falcosecurity-rules"]
path = submodules/falcosecurity-rules
url = https://github.com/falcosecurity/rules.git
branch = main
================================================
FILE: .pre-commit-config.yaml
================================================
# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
fail_fast: false
minimum_pre_commit_version: '0'
repos:
- repo: https://github.com/cheshirekow/cmake-format-precommit
rev: v0.6.13
hooks:
- id: cmake-format
stages: [commit]
- repo: https://github.com/pre-commit/mirrors-clang-format
rev: v18.1.8
hooks:
- id: clang-format
types_or: [c++, c]
stages: [commit]
- repo: local
hooks:
- id: dco-hook-local
name: DCO hook local
entry: ./tools/local_hooks/dco-pre-commit-msg.sh
language: script
stages: [prepare-commit-msg]
================================================
FILE: .yamllint.conf
================================================
extends: default
rules:
indentation: disable
document-start: disable
comments: disable
line-length: disable
new-line-at-end-of-file: disable
================================================
FILE: ADOPTERS.md
================================================
# Adopters
Known end users with notable contributions to the project include:
* AWS
* IBM
* Red Hat
Falco is being used by numerous other companies, both large and small, to build higher layer products and services. The list includes but is not limited to:
* Equinix Metal
* IEEE
* Lowes
* Reckrut
* Yellow Pepper
* CTx
* Utikal
* Discrete Events
* Agritech Infra
This is a list of production adopters of Falco (in alphabetical order):
* [ASAPP](https://www.asapp.com/) - ASAPP is a pushing the boundaries of fundamental artificial intelligence research. We apply our research into AI-Native® products that make organizations, in the customer experience industry, highly productive, efficient, and effective—by augmenting human activity and automating workflows. We constantly monitor our workloads against different hazards and FALCO helps us extend our threat monitoring boundaries.
* [Booz Allen Hamilton](https://www.boozallen.com/) - BAH leverages Falco as part of their Kubernetes environment to verify that work loads behave as they did in their CD DevSecOps pipelines. BAH offers a solution to internal developers to easily build DevSecOps pipelines for projects. This makes it easy for developers to incorporate Security principles early on in the development cycle. In production, Falco is used to verify that the code the developer ships does not violate any of the production security requirements. BAH [are speaking at Kubecon NA 2019](https://kccncna19.sched.com/event/UaWr/building-reusable-devsecops-pipelines-on-a-secure-kubernetes-platform-steven-terrana-booz-allen-hamilton-michael-ducy-sysdig) on their use of Falco.
* [Coveo](https://www.coveo.com/) - Coveo stitches together content and data, learning from every interaction, to tailor every experience using AI to drive growth, satisfy customers and develop employee proficiency. All Falco events are centralized in our SIEM for analysis. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions with containers and orchestration systems. Falco is giving us a good visibility inside containers and complement other Host and Network Intrusion Detection Systems. In a near future, we expect to deploy serverless functions to take action when Falco identifies patterns worth taking action for.
* [Deckhouse](https://deckhouse.io/) - Deckhouse Platform presents to you the opportunity to create homogeneous Kubernetes clusters anywhere and handles comprehensive, automagical management for them. It supplies all the add-ons you need for auto-scaling, observability, security, and service mesh. Falco is used as a part of the [runtime-audit-engine](https://deckhouse.io/documentation/latest/modules/650-runtime-audit-engine/) module to provide threats detection and enforce security compliance out of the box. By pairing with [shell-operator](https://github.com/flant/shell-operator) Falco can be configured by Kubernetes Custom Resources.
* [Fairwinds](https://fairwinds.com/) - [Fairwinds Insights](https://fairwinds.com/insights), Kubernetes governance software, integrates Falco to offer a single pane of glass view into potential security incidents. Insights adds out-of-the-box integrations and rules filter to reduce alert fatigue and improve security response. The platform adds security prevention, detection, and response capabilities to your existing Kubernetes infrastructure. Security and DevOps teams benefit from a centralized view of container security vulnerability scanning and runtime container security.
* [Frame.io](https://frame.io/) - Frame.io is a cloud-based (SaaS) video review and collaboration platform that enables users to securely upload source media, work-in-progress edits, dailies, and more into private workspaces where they can invite their team and clients to collaborate on projects. Understanding what is running on production servers, and the context around why things are running is even more tricky now that we have further abstractions like Docker and Kubernetes. To get this needed visibility into our system, we rely on Falco. Falco's ability to collect raw system calls such as open, connect, exec, along with their arguments offer key insights on what is happening on the production system and became the foundation of our intrusion detection and alerting system.
* [Giant Swarm](https://www.giantswarm.io/) - Giant Swarm manages Kubernetes clusters and infrastructure for enterprises across multiple cloud providers as well as several flavors of on-premises data centers. Our platform provisions and monitors pure "vanilla" Kubernetes clusters which can be augmented with managed solutions to many common Kubernetes challenges, including security. We use Falco for anomaly detection as part of our collection of entirely open-source tools for securing our own clusters, and offer the same capabilities to our customers as part of our [managed security offering](https://docs.giantswarm.io/app-platform/apps/security/).
* [GitLab](https://about.gitlab.com/direction/defend/container_host_security/) - GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab Ultimate provides the single tool teams need to find, triage, and fix vulnerabilities in applications, services, and cloud-native environments enabling them to manage their risk. This provides them with repeatable, defensible processes that automate security and compliance policies. GitLab includes a tight integration with Falco, allowing users to defend their containerized applications from attacks while running in production.
* [gVisor](https://gvisor.dev/) - gVisor secures Kubernetes, containers, and workloads via an alternate execution environment that handles system calls in user space, blocking security issues before they reach the underlying host. gVisor provides defense-in-depth, protection against untrusted code execution, and a secure-by-default Kubernetes experience where containers are a security boundary. Falco can be used with gVisor to detect unusual or suspicious activity using its threat detection engine on top of gVisor runtime execution information.
* [League](https://league.com/ca/) - League provides health benefits management services to help employees understand and get the most from their benefits, and employers to provide effective, efficient plans. Falco is used to monitor our deployed services on Kubernetes, protecting against malicious access to containers which could lead to leaks of PHI or other sensitive data. The Falco alerts are logged in Stackdriver for grouping and further analysis. In the future, we're hoping for integrations with Prometheus and AlertManager as well.
* [Logz.io](https://logz.io/) - Logz.io is a cloud observability platform for modern engineering teams. The Logz.io platform consists of three products — Log Management, Infrastructure Monitoring, and Cloud SIEM — that work together to unify the jobs of monitoring, troubleshooting, and security. We empower engineers to deliver better software by offering the world's most popular open source observability tools — the ELK Stack, Grafana, and Jaeger — in a single, easy to use, and powerful platform purpose-built for monitoring distributed cloud environments. Cloud SIEM supports data from multiple sources, including Falco's alerts, and offers useful rules and dashboards content to visualize and manage incidents across your systems in a unified UI.
* https://logz.io/blog/k8s-security-with-falco-and-cloud-siem/
* [MathWorks](https://mathworks.com) - MathWorks develops mathematical computing software for engineers and scientists. MathWorks uses Falco for Kubernetes threat detection, unexpected application behavior, and maps Falco rules to their cloud infrastructure's security kill chain model. MathWorks presented their Falco use case at [KubeCon + CloudNativeCon North America 2020](https://www.youtube.com/watch?v=L-5RYBTV010).
* [NETWAYS Web Services](https://nws.netways.de/en/) - NETWAYS Web Services provides cloud and managed services tailored to their customers needs. From VPCs to managed databases and Kubernetes clusters, NETWAYS Web Services enables their customers to run infrastructure and applications without worries. Falco plays its part for NETWAYS Managed Services to ensure their platform conforms to ISO 27001 at all times and that their clients' workloads behave as expected by detecting anomalies in real-time.
* [Pocteo](https://pocteo.co) - Pocteo helps with Kubernetes adoption in enterprises by providing a variety of services such as training, consulting, auditing and mentoring. We build CI/CD pipelines the GitOps way, as well as design and run k8s clusters. Pocteo uses Falco as a runtime monitoring system to secure clients' workloads against suspicious behavior and ensure k8s pods immutability. We also use Falco to collect, process and act on security events through a response engine and serverless functions.
* [Preferral](https://www.preferral.com) - Preferral is a HIPAA-compliant platform for Referral Management and Online Referral Forms. Preferral streamlines the referral process for patients, specialists and their referral partners. By automating the referral process, referring practices spend less time on the phone, manual efforts are eliminated, and patients get the right care from the right specialist. Preferral leverages Falco to provide a Host Intrusion Detection System to meet their HIPAA compliance requirements.
* https://hipaa.preferral.com/01-preferral_hipaa_compliance/
* [Qonto](https://qonto.com) - Qonto is a modern banking for SMEs and freelancers. Qonto provides a fully featured business account with a simplified accounting flow. Falco is used by our SecOps team to detect suspicious behaviors in our clusters.
* [Raft](https://goraft.tech) - Raft is a government contractor that offers cloud-native solutions across many different agencies including DoD (Department of Defense), HHS (Health and Human Services), as well as within CFPB (Consumer Finance Protection Bureau). Raft leverages Falco to detect threats in our client's Kubernetes clusters and as a Host Intrusion Detection System. Raft proudly recommends Falco across all our different projects.
* [Replicated](https://www.replicated.com/) - Replicated is the modern way to ship on-prem software. Replicated gives software vendors a container-based platform for easily deploying cloud native applications inside customers' environments to provide greater security and control. Replicated uses Falco as runtime security to detect threats in the Kubernetes clusters which host our critical SaaS services.
* [Secureworks](https://www.secureworks.com/) - Secureworks is a leading worldwide cybersecurity company with a cloud-native security product that combines the power of human intellect with security analytics to unify detection and response across cloud, network, and endpoint environments for improved security operations and outcomes. Our Taegis XDR platform and detection system processes petabytes of security relevant data to expose active threats amongst the billions of daily events from our customers. We are proud to protect our platform’s Kubernetes deployments, as well as help our customers protect their own Linux and container environments, using Falco.
* [Shopify](https://www.shopify.com) - Shopify is the leading multi-channel commerce platform. Merchants use Shopify to design, set up, and manage their stores across multiple sales channels, including mobile, web, social media, marketplaces, brick-and-mortar locations, and pop-up shops. The platform also provides merchants with a powerful back-office and a single view of their business, from payments to shipping. The Shopify platform was engineered for reliability and scale, making enterprise-level technology available to businesses of all sizes. Shopify uses Falco to complement its Host and Network Intrusion Detection Systems.
* [SafeDep](https://safedep.io/) - SafeDep is a open source software supply chain security platform that helps organizations identify and mitigate risks in their dependencies. At its core, SafeDep offers [`vet`](https://github.com/safedep/vet) a free and open source tool for detecting vulnerabilities, malicious code, and quality issues in open source components, while the enterprise offering, SafeDep Cloud, provides centralized control, data aggregation, and advanced features like malware analysis for large-scale deployments across thousands of repositories.
* [Sight Machine](https://www.sightmachine.com) - Sight Machine is the category leader for manufacturing analytics and used by Global 500 companies to make better, faster decisions about their operations. Sight Machine uses Falco to help enforce SOC2 compliance as well as a tool for real time security monitoring and alerting in Kubernetes.
* [Skyscanner](https://www.skyscanner.net) - Skyscanner is the world's travel search engine for flights, hotels and car rentals. Most of our infrastructure is based on Kubernetes, and our Security team is using Falco to monitor anomalies at runtime, integrating Falco's findings with our internal ChatOps tooling to provide insight on the behavior of our machines in production. We also postprocess and store Falco's results to generate dashboards for auditing purposes.
* [Sumo Logic](https://www.sumologic.com/) - Sumo Logic provides a SaaS based log aggregation service that provides dashboards and applications to easily identify and analyze problems in your application and infrastructure. Sumo Logic provides native integrations for many CNCF projects, such as Falco, that allows end users to easily collect Falco events and analyze Falco events on DecSecOps focused dashboards.
* [Swissblock Technologies](https://swissblock.net/) At Swissblock we connect the dots by combining cutting-edge algorithmic trading strategies with in-depth market analysis. We route all Falco events to our control systems, both monitoring and logging. Being able to deeply analyse alerts, we can understand what is running on our Kubernetes clusters and check against security policies, specifically defined for each workload. A set of alarms notifies us in case of critical events, letting us react fast. In the near future we plan to build a little application to route Kubernetes internal events directly to Falco, fully leveraging Falco PodSecurityPolicies analyses.
* [Shapesecurity/F5](https://www.shapesecurity.com/) Shapesecurity defends against application fraud attacks like Account Take Over, Credential Stuffing, Fake Accounts, etc. Required by FedRamp certification, we needed to find a FIM solution to help monitor and protect our Kubernetes clusters. Traditional FIM solutions were not scalable and not working for our environment, but with Falco we found the solution we needed. Falco's detection capabilities have helped us identify anomalous behaviour within our clusters. We leverage Sidekick (https://github.com/falcosecurity/charts/tree/master/falcosidekick) to send Falco alerts to a PubSub which in turn publishes those alerts to our SIEM (SumoLogic)
* [Sysdig](https://www.sysdig.com/) Sysdig originally created Falco in 2016 to detect unexpected or suspicious activity using a rules engine on top of the data that comes from the sysdig kernel system call driver. Sysdig provides tooling to help with vulnerability management, compliance, detection, incident response and forensics in Cloud-native environments. Sysdig Secure has extended Falco to include: a rule library, the ability to update macros, lists & rules via the user interface and API, automated tuning of rules, and rule creation based on profiling known system behavior. On top of the basic Falco rules, Sysdig Secure implements the concept of a "Security policy" that can comprise several rules which are evaluated for a user-defined infrastructure scope like Kubernetes namespaces, OpenShift clusters, deployment workload, cloud regions etc.
* [Thales Group](https://www.thalesgroup.com) Thales is a global technology leader with more than 81,000 employees on five continents. The Thales Group is investing in digital and “deep tech” innovations – Big Data, artificial intelligence, connectivity, cybersecurity and quantum technology – to build a future we can all trust. In the past few years, the Cloud-Native paradigms and its frameworks and tools have challenged the way applications and services are developed, delivered, and instantiated. All sorts of services are container-based workloads managed by higher level layers of orchestration such as the Kubernetes environment. Thales is committed to develop Cloud-Native services and to provide its customers with security features that ensure their applications and services are protected against cyber threats. Falco is a framework that can help Thales' products and services reach the level of trust, security and safety our clients need.
* [Thought Machine](https://www.thoughtmachine.net) Thought Machine builds Vault Core and Vault Payments: cloud-native core and payments technology enabling banks and fintechs to remain competitive and flourish into the future. Vault Core and Vault Payments are the foundation layer of a bank's technology stack. They can run any bank, any product, and any payment set. Thought Machine uses Falco to perform cloud agnostic real time detections of suspicious container behaviour.
* [Tulip Retail](https://tulip.com) Tulip Retail uses Falco to monitor container activity in our environments. It's numerous integration points, easy deployment and easily customizable rules were the main reasons we chose Falco.
* [Vinted](https://vinted.com/) Vinted uses Falco to continuously monitor container activities, identifying security threats, and ensuring compliance. The container-native approach, rule-based real-time threat detection, community support, extensibility, and compliance capabilities are the main factors why we chose it to enhance Vinted Kubernetes security. Falco Sidekick is used to send critical and warning severity alerts to our incident management solution (RTIR).
* [Xenit AB](https://xenit.se/contact/) Xenit is a growth company with services within cloud and digital transformation. We provide an open-source Kubernetes framework that we leverage to help our customers get their applications to production as quickly and as securely as possible. We use Falco's detection capabilities to identify anomalous behaviour within our clusters in both Azure and AWS.
* [Yahoo! JAPAN](https://www.yahoo.co.jp/) Yahoo! JAPAN is a leading company of internet in Japan. We build an AI Platform in our private cloud and provide it to scientists in our company. AI Platform is a multi-tenant Kubernetes environment and more flexible, faster, more efficient Machine Learning environment. Falco is used to detect unauthorized commands and malicious access and our AI Platform is monitored and alerted by Falco.
## Projects that use Falco libs
* [R6/Phoenix](https://r6security.com/) is an attack surface protection company that uses moving target defense to provide fully automated, proactive and devops friendly security to its customers. There are a set of policies you can add to enable the moving target defense capabilities. Some of them are triggered by a combination of Falco's findings. You can kill, restart and rename pods according to the ever changing policies.
* [SysFlow](https://sysflow.io) SysFlow is a cloud-native system telemetry framework that focuses on data abstraction, behavioral analytics, and noise reduction. At its core, SysFlow exposes a compact open telemetry format that records workload behaviors by connecting event and flow representations of process control flows, file interactions, and network communications. The resulting abstraction encodes a graph structure that enables provenance reasoning on host and container environments, and fast retrieval of security-relevant information.
* [StackRox](https://stackrox.io) is the industry’s first Kubernetes-native security platform enabling organizations to build, deploy, and run cloud-native applications securely. The platform works with Kubernetes environments and integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. StackRox aims to harness containerized applications’ development speed while giving operations and security teams greater context and risk profiling. StackRox leverages cloud-native principles and declarative artifacts to automate DevSecOps best practices.
* [Wireshark](https://www.wireshark.org) is the world's most powerful and popular network protocol analyzer. The Wireshark team is combining Wireshark's features and Falco libs to create Logray, a cloud and system log analyzer with advanced filtering, capture, and scripting capabilities.
## Adding a name
If you would like to add your name to this file, submit a pull request with your change.
================================================
FILE: CHANGELOG.md
================================================
# Change Log
## v0.43.0
Released on 2026-01-28
### Breaking Changes :warning:
* fix(userspace)!: show source config path only in debug builds [[#3787](https://github.com/falcosecurity/falco/pull/3787)] - [@leogr](https://github.com/leogr)
### Minor Changes
* chore(userspace): deprecate `--gvisor-generate-config` CLI option [[#3784](https://github.com/falcosecurity/falco/pull/3784)] - [@ekoops](https://github.com/ekoops)
* docs: add deprecation notice for legacy eBPF in pkg install dialog [[#3786](https://github.com/falcosecurity/falco/pull/3786)] - [@ekoops](https://github.com/ekoops)
* chore: [NOTICE] The GPG key used to sign DEB/RPM packages has been rotated, and all existing packages have been re-signed. New key fingerprint: `478B2FBBC75F4237B731DA4365106822B35B1B1F` [[#3753](https://github.com/falcosecurity/falco/pull/3753)] - [@leogr](https://github.com/leogr)
* chore(scripts/falcoctl): increase follow interval to 1 week [[#3757](https://github.com/falcosecurity/falco/pull/3757)] - [@leogr](https://github.com/leogr)
* docs: add deprecation notice for legacy eBPF, gVisor and gRPC usage [[#3763](https://github.com/falcosecurity/falco/pull/3763)] - [@ekoops](https://github.com/ekoops)
* chore(userspace): deprecate legacy eBPF probe, gVisor engine and gRPC [[#3763](https://github.com/falcosecurity/falco/pull/3763)] - [@ekoops](https://github.com/ekoops)
* chore(engine): emit warning when the deprecated `evt.latency` field family is used in a rule condition or output [[#3744](https://github.com/falcosecurity/falco/pull/3744)] - [@irozzo-1A](https://github.com/irozzo-1A)
### Bug Fixes
* fix: prevent null pointer crash on `popen()` failure in output_program [[#3722](https://github.com/falcosecurity/falco/pull/3722)] - [@vietcgi](https://github.com/vietcgi)
* fix: correct falcoctl.yaml path in debian conffiles [[#3745](https://github.com/falcosecurity/falco/pull/3745)] - [@leogr](https://github.com/leogr)
### Non user-facing changes
* chore(cmake): bump falcoctl dependency version to `0.12.2` [[#3790](https://github.com/falcosecurity/falco/pull/3790)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump falcoctl dependency version to `0.12.1` [[#3777](https://github.com/falcosecurity/falco/pull/3777)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump container plugin version to `0.6.1` [[#3780](https://github.com/falcosecurity/falco/pull/3780)] - [@ekoops](https://github.com/ekoops)
* fix(userspace/engine): missing closing quote in deprecated field warning [[#3779](https://github.com/falcosecurity/falco/pull/3779)] - [@leogr](https://github.com/leogr)
* chore(.github): Put back gpg key rotation workflow [[#3772](https://github.com/falcosecurity/falco/pull/3772)] - [@irozzo-1A](https://github.com/irozzo-1A)
* chore(cmake): bump libs/drivers to `0.23.1`/`9.1.0+driver` [[#3769](https://github.com/falcosecurity/falco/pull/3769)] - [@ekoops](https://github.com/ekoops)
* revert: chore(.github): temporary action for GPG key rotation [[#3766](https://github.com/falcosecurity/falco/pull/3766)] - [@leogr](https://github.com/leogr)
* chore(cmake): bump container plugin version to 0.6.0 [[#3768](https://github.com/falcosecurity/falco/pull/3768)] - [@irozzo-1A](https://github.com/irozzo-1A)
* docs(proposals): add proposal for legacy probe, gVisor engine and gRPC output deprecation [[#3755](https://github.com/falcosecurity/falco/pull/3755)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump libs/drivers to `0.23.0`/`9.1.0+driver` [[#3760](https://github.com/falcosecurity/falco/pull/3760)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3754](https://github.com/falcosecurity/falco/pull/3754)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(metrics): Add null check for state.outputs in metrics collection [[#3740](https://github.com/falcosecurity/falco/pull/3740)] - [@adduali1310](https://github.com/adduali1310)
* chore(cmake): bump libs to `0.23.0-rc2` [[#3759](https://github.com/falcosecurity/falco/pull/3759)] - [@ekoops](https://github.com/ekoops)
* chore(cmake): bump libs/drivers to `0.23.0-rc1`/`9.1.0-rc1+driver` [[#3758](https://github.com/falcosecurity/falco/pull/3758)] - [@ekoops](https://github.com/ekoops)
* fix(ci): revert changes to mitigate rate-limitar change [[#3752](https://github.com/falcosecurity/falco/pull/3752)] - [@irozzo-1A](https://github.com/irozzo-1A)
* update(cmake): update libs and driver to latest master [[#3723](https://github.com/falcosecurity/falco/pull/3723)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* Reduce image size [[#3746](https://github.com/falcosecurity/falco/pull/3746)] - [@jfcoz](https://github.com/jfcoz)
* docs(RELEASE.md): specify target branch association upon release creation [[#3717](https://github.com/falcosecurity/falco/pull/3717)] - [@ekoops](https://github.com/ekoops)
* docs(RELEASE.md): fix `rn2md` cmd generating changelogs [[#3709](https://github.com/falcosecurity/falco/pull/3709)] - [@ekoops](https://github.com/ekoops)
* docs(RELEASE.md): fix PRs filtering expr for checking release notes [[#3708](https://github.com/falcosecurity/falco/pull/3708)] - [@ekoops](https://github.com/ekoops)
* docs(RELEASE.md): fix PRs filtering expression text [[#3707](https://github.com/falcosecurity/falco/pull/3707)] - [@ekoops](https://github.com/ekoops)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 21 |
| Release note | 11 |
| Total | 32 |
## v0.42.0
Released on 2025-10-22
### Major Changes
* feat: add `falco_libs.thread_table_auto_purging_interval_s` and `thread_table_auto_purging_thread_timeout_s` configuration options [[#3670](https://github.com/falcosecurity/falco/pull/3670)] - [@ekoops](https://github.com/ekoops)
* feat: log plugin version info at loading time [[#3657](https://github.com/falcosecurity/falco/pull/3657)] - [@FedeDP](https://github.com/FedeDP)
* feat: ability to add statically defined fields via `static_fields` configuration [[#3557](https://github.com/falcosecurity/falco/pull/3557)] - [@FedeDP](https://github.com/FedeDP)
* feat(engine): emit warning when a rule containing the `evt.dir` field in output is encountered [[#3697](https://github.com/falcosecurity/falco/pull/3697)] - [@irozzo-1A](https://github.com/irozzo-1A)
* feat(engine): emit warning when a rule containing a condition on the deprecated `evt.dir` field is encountered [[#3690](https://github.com/falcosecurity/falco/pull/3690)] - [@irozzo-1A](https://github.com/irozzo-1A)
* new: ability to record `.scap` files (capture feature) [[#3645](https://github.com/falcosecurity/falco/pull/3645)] - [@leogr](https://github.com/leogr)
* new(docker): includes sha on the image labels [[#3658](https://github.com/falcosecurity/falco/pull/3658)] - [@jcchavezs](https://github.com/jcchavezs)
* new(cmake,userspace,ci): add mimalloc support [[#3616](https://github.com/falcosecurity/falco/pull/3616)] - [@FedeDP](https://github.com/FedeDP)
### Minor Changes
* docs(falco.yaml): refactor config documentation [[#3685](https://github.com/falcosecurity/falco/pull/3685)] - [@leogr](https://github.com/leogr)
* build: fix `debian:buster` apt debian repo URL in `:driver-loader-buster` container image [[#3644](https://github.com/falcosecurity/falco/pull/3644)] - [@ekoops](https://github.com/ekoops)
* build: updagrade libs to version 0.22.1 [[#3705](https://github.com/falcosecurity/falco/pull/3705)] - [@irozzo-1A](https://github.com/irozzo-1A)
* build: upgrade drivers to v9.0.0+driver [[#3701](https://github.com/falcosecurity/falco/pull/3701)] - [@irozzo-1A](https://github.com/irozzo-1A)
* build: upgrade cpp-httplib to v0.23.1 [[#3647](https://github.com/falcosecurity/falco/pull/3647)] - [@FedeDP](https://github.com/FedeDP)
* update: upgrade default ruleset to v5.0.0 [[#3700](https://github.com/falcosecurity/falco/pull/3700)] - [@leogr](https://github.com/leogr)
* build: upgrade `falcoctl` to v0.11.4 [[#3694](https://github.com/falcosecurity/falco/pull/3694)] - [@leogr](https://github.com/leogr)
* chore(prometheus): deprecate enter events drop stats [[#3675](https://github.com/falcosecurity/falco/pull/3675)] - [@irozzo-1A](https://github.com/irozzo-1A)
### Bug Fixes
* fix(cmake): correct abseil-cpp for alpine build [[#3598](https://github.com/falcosecurity/falco/pull/3598)] - [@RomanenkoDenys](https://github.com/RomanenkoDenys)
* fix: enable handling of multiple actions configured with `syscall_event_drops.actions` [[#3676](https://github.com/falcosecurity/falco/pull/3676)] - [@terror96](https://github.com/terror96)
* fix: disable dry-run restarts when Falco runs with config-watching disabled [[#3640](https://github.com/falcosecurity/falco/pull/3640)] - [@Proximyst](https://github.com/Proximyst)
### Non user-facing changes
* fix(userspace/falco): correct default duration calculation [[#3715](https://github.com/falcosecurity/falco/pull/3715)] - [@leogr](https://github.com/leogr)
* chore(falcoctl): update falco rules to version 5 [[#3712](https://github.com/falcosecurity/falco/pull/3712)] - [@irozzo-1A](https://github.com/irozzo-1A)
* doc(OWNERS): move incertum (Melissa Kilby) to emeritus_approvers [[#3605](https://github.com/falcosecurity/falco/pull/3605)] - [@incertum](https://github.com/incertum)
* update(cmake): update libs and driver to latest master [[#3689](https://github.com/falcosecurity/falco/pull/3689)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(docker): use new `ENV` syntax in place of deprecated one [[#3696](https://github.com/falcosecurity/falco/pull/3696)] - [@ekoops](https://github.com/ekoops)
* chore(cmake/modules): update rules to 5.0.0-rc1 [[#3698](https://github.com/falcosecurity/falco/pull/3698)] - [@leogr](https://github.com/leogr)
* fix(userspace/engine): fix logger date format [[#3672](https://github.com/falcosecurity/falco/pull/3672)] - [@ekoops](https://github.com/ekoops)
* docs(OWNERS): add `ekoops`(Leonardo Di Giovanna) as approver [[#3688](https://github.com/falcosecurity/falco/pull/3688)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3665](https://github.com/falcosecurity/falco/pull/3665)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* Refactor: cppcheck cleanups [[#3649](https://github.com/falcosecurity/falco/pull/3649)] - [@sgaist](https://github.com/sgaist)
* update(userspace/engine): update falco engine version and checksum [[#3648](https://github.com/falcosecurity/falco/pull/3648)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3662](https://github.com/falcosecurity/falco/pull/3662)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3661](https://github.com/falcosecurity/falco/pull/3661)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3653](https://github.com/falcosecurity/falco/pull/3653)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(ci): disable mimalloc for master builds. [[#3655](https://github.com/falcosecurity/falco/pull/3655)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `1208816` to `be38001` [[#3651](https://github.com/falcosecurity/falco/pull/3651)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* docs(falco.yaml): avoid out-of-sync config options for `container` pl… [[#3650](https://github.com/falcosecurity/falco/pull/3650)] - [@leogr](https://github.com/leogr)
* update(cmake): update libs and driver to latest master [[#3636](https://github.com/falcosecurity/falco/pull/3636)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(CHANGELOG.md): release 0.41.3 (cherry-pick) [[#3634](https://github.com/falcosecurity/falco/pull/3634)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3628](https://github.com/falcosecurity/falco/pull/3628)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(CHANGELOG.md): release 0.41.2 (cherry-pick) [[#3623](https://github.com/falcosecurity/falco/pull/3623)] - [@ekoops](https://github.com/ekoops)
* update(cmake): update libs and driver to latest master [[#3618](https://github.com/falcosecurity/falco/pull/3618)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3602](https://github.com/falcosecurity/falco/pull/3602)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(falco.yaml): clean up plugins config leftover [[#3596](https://github.com/falcosecurity/falco/pull/3596)] - [@leogr](https://github.com/leogr)
* chore(deps): Bump submodules/falcosecurity-rules from `b4437c4` to `4d51b18` [[#3607](https://github.com/falcosecurity/falco/pull/3607)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(docs): cherry pick CHANGELOG. [[#3600](https://github.com/falcosecurity/falco/pull/3600)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3592](https://github.com/falcosecurity/falco/pull/3592)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(docs): bumped changelog for release 0.41.0, master sync [[#3586](https://github.com/falcosecurity/falco/pull/3586)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `cb17833` to `b4437c4` [[#3578](https://github.com/falcosecurity/falco/pull/3578)] - [@dependabot[bot]](https://github.com/apps/dependabot)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 29 |
| Release note | 23 |
| Total | 52 |
## v0.41.3
Released on 2025-07-01
### Minor Changes
* update: bump container plugin to v0.3.1 [[#3629](https://github.com/falcosecurity/falco/pull/3629)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 0 |
| Release note | 1 |
| Total | 1 |
## v0.41.2
Released on 2025-06-17
### Minor Changes
* update(build): update container plugin to 0.3.0 [[#3619](https://github.com/falcosecurity/falco/pull/3619)] - [@ekoops](https://github.com/ekoops)
### Non user-facing changes
* update(build): update container plugin to 0.2.6 [[#3611](https://github.com/falcosecurity/falco/pull/3611)] - [@leogr](https://github.com/leogr)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 1 |
| Release note | 1 |
| Total | 2 |
## v0.41.1
Released on 2025-06-05
### Bug Fixes
* fix(userspace/falco): when collecting metrics for stats_writer, create a `libs_metrics_collector` for each source [[#3585](https://github.com/falcosecurity/falco/pull/3585)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened [[#3588](https://github.com/falcosecurity/falco/pull/3588)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 0 |
| Release note | 2 |
| Total | 2 |
## v0.41.0
Released on 2025-05-29
### Breaking Changes :warning:
* cleanup(engine)!: only consider .yaml/.yml rule files [[#3551](https://github.com/falcosecurity/falco/pull/3551)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup(userspace)!: deprecate print of `container.info` [[#3543](https://github.com/falcosecurity/falco/pull/3543)] - [@FedeDP](https://github.com/FedeDP)
* cleanup(userspace/falco)!: drop deprecated in 0.40.0 CLI flags. [[#3496](https://github.com/falcosecurity/falco/pull/3496)] - [@FedeDP](https://github.com/FedeDP)
### Major Changes
* new(falco): add json_include_output_fields option [[#3527](https://github.com/falcosecurity/falco/pull/3527)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(build,userspace): switch to use container plugin [[#3482](https://github.com/falcosecurity/falco/pull/3482)] - [@FedeDP](https://github.com/FedeDP)
* new(docker,scripts,ci): use an override config file to enable ISO 8601 output timeformat on docker images [[#3488](https://github.com/falcosecurity/falco/pull/3488)] - [@FedeDP](https://github.com/FedeDP)
### Minor Changes
* chore(build): update falcoctl to v0.11.2, rules for artifact follow to v4 [[#3580](https://github.com/falcosecurity/falco/pull/3580)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(cmake): bumped falcoctl to 0.11.1 and rules to 4.0.0. [[#3577](https://github.com/falcosecurity/falco/pull/3577)] - [@FedeDP](https://github.com/FedeDP)
* update(containers): update opencontainers labels [[#3575](https://github.com/falcosecurity/falco/pull/3575)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(metrics): improve restart/hot_reload conditions inspection [[#3562](https://github.com/falcosecurity/falco/pull/3562)] - [@incertum](https://github.com/incertum)
* update: empty `values` in `exceptions` won't emit a warning anymore [[#3529](https://github.com/falcosecurity/falco/pull/3529)] - [@leogr](https://github.com/leogr)
* chore(falco.yaml): enable libs_logger by default with info level [[#3507](https://github.com/falcosecurity/falco/pull/3507)] - [@FedeDP](https://github.com/FedeDP)
### Bug Fixes
* fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics [[#3563](https://github.com/falcosecurity/falco/pull/3563)] - [@incertum](https://github.com/incertum)
* fix(ci): properly install rpm systemd-rpm-macro package on building packages pipeline [[#3521](https://github.com/falcosecurity/falco/pull/3521)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/falco): init cmdline options after loading all config files [[#3493](https://github.com/falcosecurity/falco/pull/3493)] - [@FedeDP](https://github.com/FedeDP)
* fix(cmake): add support for 16K kernel page to jemalloc [[#3490](https://github.com/falcosecurity/falco/pull/3490)] - [@Darkness4](https://github.com/Darkness4)
* fix(userspace/falco): fix jemalloc enabled in minimal build. [[#3478](https://github.com/falcosecurity/falco/pull/3478)] - [@FedeDP](https://github.com/FedeDP)
### Non user-facing changes
* chore(deps): Bump submodules/falcosecurity-rules from `4ccf111` to `cb17833` [[#3572](https://github.com/falcosecurity/falco/pull/3572)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake/rules): bump to falco-rules-4.0.0-rc1 [[#3567](https://github.com/falcosecurity/falco/pull/3567)] - [@leogr](https://github.com/leogr)
* cleanup(userspace/falco): drop unused `libs_metrics_collector` variable. [[#3566](https://github.com/falcosecurity/falco/pull/3566)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3564](https://github.com/falcosecurity/falco/pull/3564)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(build): fixed container custom_target `sed` command. [[#3556](https://github.com/falcosecurity/falco/pull/3556)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `ae6ed41` to `4ccf111` [[#3555](https://github.com/falcosecurity/falco/pull/3555)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(cmake): fix bundled c-ares cmake issue with e.g. SLES [[#3559](https://github.com/falcosecurity/falco/pull/3559)] - [@terror96](https://github.com/terror96)
* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `ae6ed41` [[#3553](https://github.com/falcosecurity/falco/pull/3553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore: revert "chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431`" [[#3552](https://github.com/falcosecurity/falco/pull/3552)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3550](https://github.com/falcosecurity/falco/pull/3550)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3549](https://github.com/falcosecurity/falco/pull/3549)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(adopters): added SafeDep as adopter [[#3548](https://github.com/falcosecurity/falco/pull/3548)] - [@KunalSin9h](https://github.com/KunalSin9h)
* update(cmake): update libs and driver to latest master [[#3547](https://github.com/falcosecurity/falco/pull/3547)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3541](https://github.com/falcosecurity/falco/pull/3541)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(userspace): fixed engine `openssl` dep. [[#3535](https://github.com/falcosecurity/falco/pull/3535)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/falco): fix outputs_http timeout [[#3523](https://github.com/falcosecurity/falco/pull/3523)] - [@benierc](https://github.com/benierc)
* fix(ci): use clang-19 to build modern_ebpf skeleton. [[#3537](https://github.com/falcosecurity/falco/pull/3537)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3531](https://github.com/falcosecurity/falco/pull/3531)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3530](https://github.com/falcosecurity/falco/pull/3530)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3525](https://github.com/falcosecurity/falco/pull/3525)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3520](https://github.com/falcosecurity/falco/pull/3520)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3516](https://github.com/falcosecurity/falco/pull/3516)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* docs(README.md): cleanups and enhancements [[#3514](https://github.com/falcosecurity/falco/pull/3514)] - [@leogr](https://github.com/leogr)
* update(cmake): update libs and driver to latest master [[#3511](https://github.com/falcosecurity/falco/pull/3511)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431` [[#3510](https://github.com/falcosecurity/falco/pull/3510)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): update libs and driver to latest master [[#3508](https://github.com/falcosecurity/falco/pull/3508)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* update(cmake): update libs and driver to latest master [[#3506](https://github.com/falcosecurity/falco/pull/3506)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(userspace/falco): when counting `-M` timeout, do not account for async events [[#3505](https://github.com/falcosecurity/falco/pull/3505)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `d8415c1` to `1d2c6b1` [[#3504](https://github.com/falcosecurity/falco/pull/3504)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* docs(proposals): correct typo in example [[#3499](https://github.com/falcosecurity/falco/pull/3499)] - [@leogr](https://github.com/leogr)
* fix(docker): fixed entrypoints paths with new docker context. [[#3492](https://github.com/falcosecurity/falco/pull/3492)] - [@FedeDP](https://github.com/FedeDP)
* feat(falco/app): move actions not using config before `load_config` [[#3483](https://github.com/falcosecurity/falco/pull/3483)] - [@ekoops](https://github.com/ekoops)
* refactor(falco/app): apply early return pattern in actions code [[#3484](https://github.com/falcosecurity/falco/pull/3484)] - [@ekoops](https://github.com/ekoops)
* chore(deps): Bump submodules/falcosecurity-rules from `abf6637` to `d8415c1` [[#3489](https://github.com/falcosecurity/falco/pull/3489)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* Add NETWAYS Web Services to ADOPTERS.md [[#3487](https://github.com/falcosecurity/falco/pull/3487)] - [@mocdaniel](https://github.com/mocdaniel)
* chore: add back Falco static package to the release template. [[#3472](https://github.com/falcosecurity/falco/pull/3472)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 36 |
| Release note | 17 |
| Total | 53 |
## v0.40.0
Released on 2025-01-28
### Breaking Changes :warning:
* cleanup(userspac/falco)!: drop deprecated options. [[#3361](https://github.com/falcosecurity/falco/pull/3361)] - [@FedeDP](https://github.com/FedeDP)
### Major Changes
* new(docker): streamline docker images [[#3273](https://github.com/falcosecurity/falco/pull/3273)] - [@FedeDP](https://github.com/FedeDP)
* new(build): reintroduce static build [[#3428](https://github.com/falcosecurity/falco/pull/3428)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(cmake,ci): added support for using jemalloc allocator instead of glibc one and use it by default for release artifacts [[#3406](https://github.com/falcosecurity/falco/pull/3406)] - [@FedeDP](https://github.com/FedeDP)
* new(userspace,cmake): honor new plugins exposed suggested output formats [[#3388](https://github.com/falcosecurity/falco/pull/3388)] - [@FedeDP](https://github.com/FedeDP)
* new(userspace/falco): allow entirely disabling plugin hostinfo support. [[#3412](https://github.com/falcosecurity/falco/pull/3412)] - [@FedeDP](https://github.com/FedeDP)
* new(ci): use `zig` compiler instead of relying on centos7. [[#3307](https://github.com/falcosecurity/falco/pull/3307)] - [@FedeDP](https://github.com/FedeDP)
* new(falco): add buffer_format_base64 option, deprecate -b [[#3358](https://github.com/falcosecurity/falco/pull/3358)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(falco): add base_syscalls.all option to falco.yaml, deprecate -A [[#3352](https://github.com/falcosecurity/falco/pull/3352)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(falco): add falco_libs.snaplen option, deprecate -S / --snaplen [[#3362](https://github.com/falcosecurity/falco/pull/3362)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Minor Changes
* update(cmake): bump falcoctl to v0.11.0 [[#3467](https://github.com/falcosecurity/falco/pull/3467)] - [@alacuku](https://github.com/alacuku)
* chore(ci): add attestation for falco [[#3216](https://github.com/falcosecurity/falco/pull/3216)] - [@cpanato](https://github.com/cpanato)
* chore(ci): build Falco in RelWithDebInfo, and upload Falco debug symbols as github artifacts [[#3452](https://github.com/falcosecurity/falco/pull/3452)] - [@FedeDP](https://github.com/FedeDP)
* update(build): DEB and RPM package requirements for dkms and kernel-devel are now suggestions [[#3450](https://github.com/falcosecurity/falco/pull/3450)] - [@jthiltges](https://github.com/jthiltges)
### Bug Fixes
* fix(userspace/falco): fix container_engines.cri.sockets not loading from config file [[#3453](https://github.com/falcosecurity/falco/pull/3453)] - [@zayaanmoez](https://github.com/zayaanmoez)
* fix(docker): /usr/src/'*' no longer created if $HOST_PATH/usr/src didn't exist at startup [[#3434](https://github.com/falcosecurity/falco/pull/3434)] - [@shane-lawrence](https://github.com/shane-lawrence)
* fix(docker): add brotli to the Falco image [[#3399](https://github.com/falcosecurity/falco/pull/3399)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(userspace/engine): explicitly disallow appending/modifying a rule with different sources [[#3383](https://github.com/falcosecurity/falco/pull/3383)] - [@mstemm](https://github.com/mstemm)
### Non user-facing changes
* chore(falco.yaml): remove comments about cri cli arguments [[#3458](https://github.com/falcosecurity/falco/pull/3458)] - [@alacuku](https://github.com/alacuku)
* fix(ci): fixed reusable_build/publish_docker workflows. [[#3459](https://github.com/falcosecurity/falco/pull/3459)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3455](https://github.com/falcosecurity/falco/pull/3455)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore(ci): bumped actions/upload-download-artifact. [[#3454](https://github.com/falcosecurity/falco/pull/3454)] - [@FedeDP](https://github.com/FedeDP)
* chore(docker): drop unused libelf dep from container images [[#3451](https://github.com/falcosecurity/falco/pull/3451)] - [@leogr](https://github.com/leogr)
* chore(docs): update `plugins_hostinfo` config file comment. [[#3449](https://github.com/falcosecurity/falco/pull/3449)] - [@FedeDP](https://github.com/FedeDP)
* new(build): add RelWithDebInfo target [[#3440](https://github.com/falcosecurity/falco/pull/3440)] - [@shane-lawrence](https://github.com/shane-lawrence)
* chore(deps): Bump submodules/falcosecurity-rules from `283a62f` to `abf6637` [[#3448](https://github.com/falcosecurity/falco/pull/3448)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(ci): use 4cpu-16gb arm runners [[#3447](https://github.com/falcosecurity/falco/pull/3447)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(cmake): update libs and driver to latest master [[#3439](https://github.com/falcosecurity/falco/pull/3439)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* chore: avoid deprecated funcs to calculate sha256 [[#3442](https://github.com/falcosecurity/falco/pull/3442)] - [@federico-sysdig](https://github.com/federico-sysdig)
* chore(ci): enable jemalloc in musl build. [[#3436](https://github.com/falcosecurity/falco/pull/3436)] - [@FedeDP](https://github.com/FedeDP)
* docs(falco.yaml): correct `buffered_outputs` description [[#3427](https://github.com/falcosecurity/falco/pull/3427)] - [@leogr](https://github.com/leogr)
* fix(userspace/falco): use correct filtercheck_field_info. [[#3426](https://github.com/falcosecurity/falco/pull/3426)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3421](https://github.com/falcosecurity/falco/pull/3421)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix: update the url for the docs about the concurrent queue classes [[#3415](https://github.com/falcosecurity/falco/pull/3415)] - [@Issif](https://github.com/Issif)
* update(changelog): updated changelog for 0.39.2. [[#3410](https://github.com/falcosecurity/falco/pull/3410)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3392](https://github.com/falcosecurity/falco/pull/3392)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* fix(cmake,docker): avoid cpp-httplib requiring brotli. [[#3400](https://github.com/falcosecurity/falco/pull/3400)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `407e997` to `283a62f` [[#3391](https://github.com/falcosecurity/falco/pull/3391)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bump libs to latest master. [[#3389](https://github.com/falcosecurity/falco/pull/3389)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): update libs and driver to latest master [[#3385](https://github.com/falcosecurity/falco/pull/3385)] - [@github-actions[bot]](https://github.com/apps/github-actions)
* Make enable()/disable() virtual so they can be overridden [[#3375](https://github.com/falcosecurity/falco/pull/3375)] - [@mstemm](https://github.com/mstemm)
* fix(ci): fixed shasum computation for bump-libs CI. [[#3379](https://github.com/falcosecurity/falco/pull/3379)] - [@FedeDP](https://github.com/FedeDP)
* chore(ci): use redhat advised method to check rpmsign success. [[#3376](https://github.com/falcosecurity/falco/pull/3376)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `e38fb3f` to `407e997` [[#3374](https://github.com/falcosecurity/falco/pull/3374)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* Compile output clone [[#3364](https://github.com/falcosecurity/falco/pull/3364)] - [@mstemm](https://github.com/mstemm)
* fix(ci): fixed bump-libs workflow syntax. [[#3369](https://github.com/falcosecurity/falco/pull/3369)] - [@FedeDP](https://github.com/FedeDP)
* new(ci): add a workflow to automatically bump libs on each monday. [[#3360](https://github.com/falcosecurity/falco/pull/3360)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `b6ad373` to `e38fb3f` [[#3365](https://github.com/falcosecurity/falco/pull/3365)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* cleanup(falco): reformat options::define [[#3356](https://github.com/falcosecurity/falco/pull/3356)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 31 |
| Release note | 18 |
| Total | 49 |
## v0.39.2
Released on 2024-11-21
### Minor Changes
* update(cmake): bumped falcoctl to v0.10.1. [[#3408](https://github.com/falcosecurity/falco/pull/3408)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): bump yaml-cpp to latest master. [[#3394](https://github.com/falcosecurity/falco/pull/3394)] - [@FedeDP](https://github.com/FedeDP)
### Non user-facing changes
* update(ci): use arm64 CNCF runners for GH actions [[#3386](https://github.com/falcosecurity/falco/pull/3386)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 1 |
| Release note | 2 |
| Total | 3 |
## v0.39.1
Released on 2024-10-09
### Bug Fixes
* fix(engine): allow null init_config for plugin info [[#3372](https://github.com/falcosecurity/falco/pull/3372)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(engine): fix parsing issues in -o key={object} when the object definition contains a comma [[#3363](https://github.com/falcosecurity/falco/pull/3363)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(userspace/falco): fix event set selection for plugin with parsing capability [[#3368](https://github.com/falcosecurity/falco/pull/3368)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 0 |
| Release note | 3 |
| Total | 3 |
## v0.39.0
Released on 2024-10-01
### Breaking Changes :warning:
* fix(falco_metrics)!: split tags label into multiple `tag_`-prefixed labels [[#3337](https://github.com/falcosecurity/falco/pull/3337)] - [@ekoops](https://github.com/ekoops)
* fix(falco_metrics)!: use full name for configs and rules files [[#3337](https://github.com/falcosecurity/falco/pull/3337)] - [@ekoops](https://github.com/ekoops)
* update(falco_metrics)!: rearrange `n_evts_cpu` and `n_drops_cpu` Prometheus metrics to follow best practices [[#3319](https://github.com/falcosecurity/falco/pull/3319)] - [@incertum](https://github.com/incertum)
* cleanup(userspace/falco)!: drop deprecated -t,-T,-D options. [[#3311](https://github.com/falcosecurity/falco/pull/3311)] - [@FedeDP](https://github.com/FedeDP)
### Major Changes
* feat(stats): add host_netinfo networking information stats family [[#3344](https://github.com/falcosecurity/falco/pull/3344)] - [@ekoops](https://github.com/ekoops)
* new(falco): add json_include_message_property to have a message field without date and priority [[#3314](https://github.com/falcosecurity/falco/pull/3314)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(userspace/falco,userspace/engine): rule json schema validation [[#3313](https://github.com/falcosecurity/falco/pull/3313)] - [@FedeDP](https://github.com/FedeDP)
* new(falco): introduce append_output configuration [[#3308](https://github.com/falcosecurity/falco/pull/3308)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(userspace/falco): added --config-schema action to print config schema [[#3312](https://github.com/falcosecurity/falco/pull/3312)] - [@FedeDP](https://github.com/FedeDP)
* new(falco): enable CLI options with -o key={object} [[#3310](https://github.com/falcosecurity/falco/pull/3310)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(config): add `container_engines` config to falco.yaml [[#3266](https://github.com/falcosecurity/falco/pull/3266)] - [@incertum](https://github.com/incertum)
* new(metrics): add host_ifinfo metric [[#3253](https://github.com/falcosecurity/falco/pull/3253)] - [@incertum](https://github.com/incertum)
* new(userspace,unit_tests): validate configs against schema [[#3302](https://github.com/falcosecurity/falco/pull/3302)] - [@FedeDP](https://github.com/FedeDP)
### Minor Changes
* update(falco): upgrade libs to 0.18.1 [[#3349](https://github.com/falcosecurity/falco/pull/3349)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(systemd): users can refer to systemd falco services with a consistent unique alias falco.service [[#3332](https://github.com/falcosecurity/falco/pull/3332)] - [@ekoops](https://github.com/ekoops)
* update(cmake): bump libs to 0.18.0 and driver to 7.3.0+driver. [[#3330](https://github.com/falcosecurity/falco/pull/3330)] - [@FedeDP](https://github.com/FedeDP)
* chore(userspace/falco): deprecate `cri` related CLI options. [[#3329](https://github.com/falcosecurity/falco/pull/3329)] - [@FedeDP](https://github.com/FedeDP)
* update(cmake): bumped falcoctl to v0.10.0 and rules to 3.2.0 [[#3327](https://github.com/falcosecurity/falco/pull/3327)] - [@FedeDP](https://github.com/FedeDP)
* update(falco_metrics): change prometheus rules metric naming [[#3324](https://github.com/falcosecurity/falco/pull/3324)] - [@incertum](https://github.com/incertum)
### Bug Fixes
* fix(falco): allow disable_cri_async from both CLI and config [[#3353](https://github.com/falcosecurity/falco/pull/3353)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(engine): sync outputs before printing stats at shutdown [[#3338](https://github.com/falcosecurity/falco/pull/3338)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(falco): allow plugin init_config map in json schema [[#3335](https://github.com/falcosecurity/falco/pull/3335)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(userspace/falco): properly account for plugin with CAP_PARSING when computing interesting sc set [[#3334](https://github.com/falcosecurity/falco/pull/3334)] - [@FedeDP](https://github.com/FedeDP)
### Non user-facing changes
* feat(cmake): add conditional builds for falcoctl and rules paths [[#3305](https://github.com/falcosecurity/falco/pull/3305)] - [@tembleking](https://github.com/tembleking)
* cleanup(falco): ignore lint commit [[#3354](https://github.com/falcosecurity/falco/pull/3354)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(falco): apply code formatting [[#3350](https://github.com/falcosecurity/falco/pull/3350)] - [@poiana](https://github.com/poiana)
* chore: ignore_some_files for clang format [[#3351](https://github.com/falcosecurity/falco/pull/3351)] - [@Andreagit97](https://github.com/Andreagit97)
* sync: release 0.39.x [[#3340](https://github.com/falcosecurity/falco/pull/3340)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/engine): improve rule json schema to account for `source` and `required_plugin_versions` [[#3328](https://github.com/falcosecurity/falco/pull/3328)] - [@FedeDP](https://github.com/FedeDP)
* cleanup(falco): use header file for json schema [[#3325](https://github.com/falcosecurity/falco/pull/3325)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(engine): modify append_output format [[#3322](https://github.com/falcosecurity/falco/pull/3322)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore: scaffolding for enabling code formatting [[#3321](https://github.com/falcosecurity/falco/pull/3321)] - [@Andreagit97](https://github.com/Andreagit97)
* update(cmake): bump libs and driver to 0.18.0-rc1. [[#3320](https://github.com/falcosecurity/falco/pull/3320)] - [@FedeDP](https://github.com/FedeDP)
* fix(ci): restore master and release CI workflow permissions. [[#3317](https://github.com/falcosecurity/falco/pull/3317)] - [@FedeDP](https://github.com/FedeDP)
* fixed the token-permission and pinned-dependencies issue [[#3299](https://github.com/falcosecurity/falco/pull/3299)] - [@harshitasao](https://github.com/harshitasao)
* update(cmake): bump falcoctl to v0.10.0-rc1 [[#3316](https://github.com/falcosecurity/falco/pull/3316)] - [@alacuku](https://github.com/alacuku)
* ci(insecure-api): update semgrep docker image [[#3315](https://github.com/falcosecurity/falco/pull/3315)] - [@francesco-furlan](https://github.com/francesco-furlan)
* Add demo environment instructions and docker-config files [[#3295](https://github.com/falcosecurity/falco/pull/3295)] - [@bbl232](https://github.com/bbl232)
* chore(deps): Bump submodules/falcosecurity-rules from `baecf18` to `b6ad373` [[#3301](https://github.com/falcosecurity/falco/pull/3301)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bump libs and driver to latest master [[#3283](https://github.com/falcosecurity/falco/pull/3283)] - [@jasondellaluce](https://github.com/jasondellaluce)
* chore(deps): Bump submodules/falcosecurity-rules from `342b20d` to `baecf18` [[#3298](https://github.com/falcosecurity/falco/pull/3298)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore(deps): Bump submodules/falcosecurity-rules from `068f0f2` to `342b20d` [[#3288](https://github.com/falcosecurity/falco/pull/3288)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* vote: add sgaist to OWNERS [[#3264](https://github.com/falcosecurity/falco/pull/3264)] - [@sgaist](https://github.com/sgaist)
* Add Tulip Retail to adopters list [[#3291](https://github.com/falcosecurity/falco/pull/3291)] - [@bbl232](https://github.com/bbl232)
* chore(deps): Bump submodules/falcosecurity-rules from `28b98b6` to `068f0f2` [[#3282](https://github.com/falcosecurity/falco/pull/3282)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore(deps): Bump submodules/falcosecurity-rules from `c0a9bf1` to `28b98b6` [[#3267](https://github.com/falcosecurity/falco/pull/3267)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* Added the OpenSSF Scorecard Badge [[#3250](https://github.com/falcosecurity/falco/pull/3250)] - [@harshitasao](https://github.com/harshitasao)
* chore(deps): Bump submodules/falcosecurity-rules from `ea57e78` to `c0a9bf1` [[#3247](https://github.com/falcosecurity/falco/pull/3247)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake,userspace): bump libs and driver to latest master. [[#3263](https://github.com/falcosecurity/falco/pull/3263)] - [@FedeDP](https://github.com/FedeDP)
* If rule compilation fails, return immediately [[#3260](https://github.com/falcosecurity/falco/pull/3260)] - [@mstemm](https://github.com/mstemm)
* new(userspace/engine): generalize indexable ruleset [[#3251](https://github.com/falcosecurity/falco/pull/3251)] - [@mstemm](https://github.com/mstemm)
* update(cmake): bump libs to master. [[#3249](https://github.com/falcosecurity/falco/pull/3249)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `df963b6` to `ea57e78` [[#3240](https://github.com/falcosecurity/falco/pull/3240)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore(ci): enable dummy tests on the testing framework. [[#3233](https://github.com/falcosecurity/falco/pull/3233)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `679a50a` to `df963b6` [[#3231](https://github.com/falcosecurity/falco/pull/3231)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bump libs and driver to master. [[#3225](https://github.com/falcosecurity/falco/pull/3225)] - [@FedeDP](https://github.com/FedeDP)
* chore(deps): Bump submodules/falcosecurity-rules from `9e56293` to `679a50a` [[#3222](https://github.com/falcosecurity/falco/pull/3222)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(docs): update CHANGELOG for 0.38.0 (master branch) [[#3224](https://github.com/falcosecurity/falco/pull/3224)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 35 |
| Release note | 22 |
| Total | 57 |
## v0.38.2
Released on 2024-08-19
### Bug Fixes
* fix(engine): fix metrics names to better adhere to best practices [[#3272](https://github.com/falcosecurity/falco/pull/3272)] - [@incertum](https://github.com/incertum)
* fix(ci): use vault.centos.org for centos:7 CI build. [[#3274](https://github.com/falcosecurity/falco/pull/3274)] - [@FedeDP](https://github.com/FedeDP)
## v0.38.1
Released on 2024-06-19
### Major Changes
* new(metrics): enable plugins metrics [[#3228](https://github.com/falcosecurity/falco/pull/3228)] - [@mrgian](https://github.com/mrgian)
### Minor Changes
* cleanup(falco): clarify that --print variants only affect syscalls [[#3238](https://github.com/falcosecurity/falco/pull/3238)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(engine): enable -p option for all sources, -pk, -pc etc only for syscall sources [[#3239](https://github.com/falcosecurity/falco/pull/3239)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Bug Fixes
* fix(engine): enable output substitution only for syscall rules, prevent engine from exiting with validation errors when a plugin is loaded and -pc/pk is specified [[#3236](https://github.com/falcosecurity/falco/pull/3236)] - [@mrgian](https://github.com/mrgian)
* fix(metrics): allow each metric output channel to be selected independently [[#3232](https://github.com/falcosecurity/falco/pull/3232)] - [@incertum](https://github.com/incertum)
* fix(userspace/falco): fixed `falco_metrics::to_text` implementation when running with plugins [[#3230](https://github.com/falcosecurity/falco/pull/3230)] - [@FedeDP](https://github.com/FedeDP)
### Statistics
| MERGED PRS | NUMBER |
|-----------------|--------|
| Not user-facing | 0 |
| Release note | 6 |
| Total | 6 |
## v0.38.0
Released on 2024-05-30
### Breaking Changes :warning:
* new(scripts,docker)!: enable automatic driver selection logic in packages and docker images. Modern eBPF is now also the default driver and the highest priority one in the new driver selection logic. [[#3154](https://github.com/falcosecurity/falco/pull/3154)] - [@FedeDP](https://github.com/FedeDP)
* cleanup(falco.yaml)!: remove some deprecated configs [[#3087](https://github.com/falcosecurity/falco/pull/3087)] - [@Andreagit97](https://github.com/Andreagit97)
* cleanup(docker)!: remove unused builder dockerfile [[#3088](https://github.com/falcosecurity/falco/pull/3088)] - [@Andreagit97](https://github.com/Andreagit97)
More details: https://falco.org/blog/falco-0-38-0/#breaking-changes-and-deprecations
### Major Changes
* new(webserver): a metrics endpoint has been added providing prometheus metrics. It can be optionally enabled using the new `metrics.prometheus_enabled` configuration option. It will only be activated if the `metrics.enabled` is true as well. [[#3140](https://github.com/falcosecurity/falco/pull/3140)] - [@sgaist](https://github.com/sgaist)
* new(metrics): add `rules_counters_enabled` option [[#3192](https://github.com/falcosecurity/falco/pull/3192)] - [@incertum](https://github.com/incertum)
* new(build): provide signatures for .tar.gz packages [[#3201](https://github.com/falcosecurity/falco/pull/3201)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(engine): add print_enabled_rules_falco_logger when log_level debug [[#3189](https://github.com/falcosecurity/falco/pull/3189)] - [@incertum](https://github.com/incertum)
* new(falco): allow selecting which rules to load from the configuration file or command line [[#3178](https://github.com/falcosecurity/falco/pull/3178)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(metrics): add file sha256sum metrics for loaded config and rules files [[#3187](https://github.com/falcosecurity/falco/pull/3187)] - [@incertum](https://github.com/incertum)
* new(engine): throw an error when an invalid macro/list name is used [[#3116](https://github.com/falcosecurity/falco/pull/3116)] - [@mrgian](https://github.com/mrgian)
* new(engine): raise warning instead of error on invalid macro/list name [[#3167](https://github.com/falcosecurity/falco/pull/3167)] - [@mrgian](https://github.com/mrgian)
* new(userspace): support split config files [[#3024](https://github.com/falcosecurity/falco/pull/3024)] - [@FedeDP](https://github.com/FedeDP)
* new(engine): enforce unique exceptions names [[#3134](https://github.com/falcosecurity/falco/pull/3134)] - [@mrgian](https://github.com/mrgian)
* new(engine): add warning when appending an exception with no values [[#3133](https://github.com/falcosecurity/falco/pull/3133)] - [@mrgian](https://github.com/mrgian)
* feat(metrics): coherent metrics stats model including few metrics naming changes [[#3129](https://github.com/falcosecurity/falco/pull/3129)] - [@incertum](https://github.com/incertum)
* new(config): add `falco_libs.thread_table_size` [[#3071](https://github.com/falcosecurity/falco/pull/3071)] - [@incertum](https://github.com/incertum)
* new(proposals): introduce on host anomaly detection framework [[#2655](https://github.com/falcosecurity/falco/pull/2655)] - [@incertum](https://github.com/incertum)
### Minor Changes
* update(cmake): bump falcoctl to v0.8.0. [[#3219](https://github.com/falcosecurity/falco/pull/3219)] - [@FedeDP](https://github.com/FedeDP)
* update(rules): update falco-rules to 3.1.0 [[#3217](https://github.com/falcosecurity/falco/pull/3217)] - [@LucaGuerra](https://github.com/LucaGuerra)
* refactor(userspace): move falco logger under falco engine [[#3208](https://github.com/falcosecurity/falco/pull/3208)] - [@jasondellaluce](https://github.com/jasondellaluce)
* chore(docs): apply features adoption and deprecation proposal to config file keys [[#3206](https://github.com/falcosecurity/falco/pull/3206)] - [@FedeDP](https://github.com/FedeDP)
* cleanup(metrics): add original rule name as label [[#3205](https://github.com/falcosecurity/falco/pull/3205)] - [@incertum](https://github.com/incertum)
* update(falco): deprecate options -T, -t and -D [[#3193](https://github.com/falcosecurity/falco/pull/3193)] - [@LucaGuerra](https://github.com/LucaGuerra)
* refactor: bump libs and driver, support field modifiers [[#3186](https://github.com/falcosecurity/falco/pull/3186)] - [@jasondellaluce](https://github.com/jasondellaluce)
* chore(userspace/falco): deprecated old 'rules_file' config key [[#3162](https://github.com/falcosecurity/falco/pull/3162)] - [@FedeDP](https://github.com/FedeDP)
* chore(falco): update falco libs and driver to master (Apr 8th 2024) [[#3158](https://github.com/falcosecurity/falco/pull/3158)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(build): update libs to 026ffe1d8f1b25c6ccdc09afa2c02afdd3e3f672 [[#3151](https://github.com/falcosecurity/falco/pull/3151)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup: minor adjustments to readme, add new testing section [[#3072](https://github.com/falcosecurity/falco/pull/3072)] - [@incertum](https://github.com/incertum)
* refactor(userspace/engine): reduce allocations during rules loading [[#3065](https://github.com/falcosecurity/falco/pull/3065)] - [@jasondellaluce](https://github.com/jasondellaluce)
* update(CI): publish wasm package as dev-wasm [[#3017](https://github.com/falcosecurity/falco/pull/3017)] - [@Rohith-Raju](https://github.com/Rohith-Raju)
### Bug Fixes
* fix(userspace/falco): fix state initialization avoid a crash during hot reload [[#3190](https://github.com/falcosecurity/falco/pull/3190)] - [@FedeDP](https://github.com/FedeDP)
* fix(userspace/engine): make sure exception fields are not optional in replace mode [[#3108](https://github.com/falcosecurity/falco/pull/3108)] - [@jasondellaluce](https://github.com/jasondellaluce)
* fix(docker): added zstd to driver loader images [[#3203](https://github.com/falcosecurity/falco/pull/3203)] - [@FedeDP](https://github.com/FedeDP)
* fix(engine): raise warning instead of error on not-unique exceptions names [[#3159](https://github.com/falcosecurity/falco/pull/3159)] - [@mrgian](https://github.com/mrgian)
* fix(engine): apply output substitutions for all sources [[#3135](https://github.com/falcosecurity/falco/pull/3135)] - [@mrgian](https://github.com/mrgian)
* fix(userspace/configuration): make sure that folders that would trigger permission denied are not traversed [[#3127](https://github.com/falcosecurity/falco/pull/3127)] - [@sgaist](https://github.com/sgaist)
* fix(engine): logical issue in exceptions condition [[#3115](https://github.com/falcosecurity/falco/pull/3115)] - [@mrgian](https://github.com/mrgian)
* fix(cmake): properly let falcoctl cmake module create /usr/share/falco/plugins/ folder. [[#3105](https://github.com/falcosecurity/falco/pull/3105)] - [@FedeDP](https://github.com/FedeDP)
### Non user-facing changes
* update(scripts/falcoctl): bump falco-rules version to 3 [[#3128](https://github.com/falcosecurity/falco/pull/3128)] - [@alacuku](https://github.com/alacuku)
* build(deps): Bump submodules/falcosecurity-rules from `59bf03b` to `9e56293` [[#3212](https://github.com/falcosecurity/falco/pull/3212)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore(gha): update cosign to v3.5.0 [[#3209](https://github.com/falcosecurity/falco/pull/3209)] - [@LucaGuerra](https://github.com/LucaGuerra)
* build(deps): Bump submodules/falcosecurity-rules from `29c41c4` to `59bf03b` [[#3207](https://github.com/falcosecurity/falco/pull/3207)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bumped libs to 0.17.0-rc1 and falcoctl to v0.8.0-rc6. [[#3204](https://github.com/falcosecurity/falco/pull/3204)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `3f668d0` to `3cac61c` [[#3044](https://github.com/falcosecurity/falco/pull/3044)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* build(deps): Bump submodules/falcosecurity-testing from `ae3950a` to `7abf76f` [[#3094](https://github.com/falcosecurity/falco/pull/3094)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(ci): enforce bundled deps OFF in build-dev CI [[#3118](https://github.com/falcosecurity/falco/pull/3118)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `88a40c8` to `869c9a7` [[#3156](https://github.com/falcosecurity/falco/pull/3156)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bumped falcoctl to v0.8.0-rc5. [[#3199](https://github.com/falcosecurity/falco/pull/3199)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `4f153f5` to `29c41c4` [[#3198](https://github.com/falcosecurity/falco/pull/3198)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bump falcoctl to v0.8.0-rc4 [[#3191](https://github.com/falcosecurity/falco/pull/3191)] - [@FedeDP](https://github.com/FedeDP)
* refactor: smart pointer usage [[#3184](https://github.com/falcosecurity/falco/pull/3184)] - [@federico-sysdig](https://github.com/federico-sysdig)
* build(deps): Bump submodules/falcosecurity-rules from `ec255e6` to `4f153f5` [[#3182](https://github.com/falcosecurity/falco/pull/3182)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(cmake): bumped libs and driver to latest master. [[#3177](https://github.com/falcosecurity/falco/pull/3177)] - [@FedeDP](https://github.com/FedeDP)
* chore(cmake): enable modern bpf build by default. [[#3180](https://github.com/falcosecurity/falco/pull/3180)] - [@FedeDP](https://github.com/FedeDP)
* cleanup(docs): fix typo in license blocks [[#3175](https://github.com/falcosecurity/falco/pull/3175)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(docker,scripts): set old eBPF probe as lowest priority driver. [[#3173](https://github.com/falcosecurity/falco/pull/3173)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `869c9a7` to `ec255e6` [[#3170](https://github.com/falcosecurity/falco/pull/3170)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(app): close inspectors at teardown time [[#3169](https://github.com/falcosecurity/falco/pull/3169)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(docker): fixed docker entrypoints for driver loading. [[#3168](https://github.com/falcosecurity/falco/pull/3168)] - [@FedeDP](https://github.com/FedeDP)
* fix(docker,scripts): do not load falcoctl driver loader when installing Falco deb package in docker images [[#3166](https://github.com/falcosecurity/falco/pull/3166)] - [@FedeDP](https://github.com/FedeDP)
* update(ci): build both release and debug versions [[#3161](https://github.com/falcosecurity/falco/pull/3161)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(userspace/falco): watch all configs files. [[#3160](https://github.com/falcosecurity/falco/pull/3160)] - [@FedeDP](https://github.com/FedeDP)
* fix(ci): update scorecard-action to v2.3.1 [[#3153](https://github.com/falcosecurity/falco/pull/3153)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup(falco): consolidate falco::grpc::server in one class [[#3150](https://github.com/falcosecurity/falco/pull/3150)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(build): enable ASan and UBSan builds with options and in CI [[#3147](https://github.com/falcosecurity/falco/pull/3147)] - [@LucaGuerra](https://github.com/LucaGuerra)
* fix(userspace): variable / function shadowing [[#3123](https://github.com/falcosecurity/falco/pull/3123)] - [@sgaist](https://github.com/sgaist)
* build(deps): Bump submodules/falcosecurity-rules from `fbf0a4e` to `88a40c8` [[#3145](https://github.com/falcosecurity/falco/pull/3145)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(cmake): fix USE_BUNDLED_DEPS=ON and BUILD_FALCO_UNIT_TESTS=ON [[#3146](https://github.com/falcosecurity/falco/pull/3146)] - [@LucaGuerra](https://github.com/LucaGuerra)
* Add --kernelversion and --kernelrelease options to falco driver loader entrypoint [[#3143](https://github.com/falcosecurity/falco/pull/3143)] - [@Sryther](https://github.com/Sryther)
* build(deps): Bump submodules/falcosecurity-rules from `44addef` to `fbf0a4e` [[#3139](https://github.com/falcosecurity/falco/pull/3139)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore: bump to latest libs commit [[#3137](https://github.com/falcosecurity/falco/pull/3137)] - [@Andreagit97](https://github.com/Andreagit97)
* refactor: Use FetchContent for integrating three bundled libs [[#3107](https://github.com/falcosecurity/falco/pull/3107)] - [@federico-sysdig](https://github.com/federico-sysdig)
* build(deps): Bump submodules/falcosecurity-rules from `dc7970d` to `44addef` [[#3136](https://github.com/falcosecurity/falco/pull/3136)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* build(deps): Bump submodules/falcosecurity-rules from `f88b991` to `dc7970d` [[#3126](https://github.com/falcosecurity/falco/pull/3126)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* refactor(ci): Avoid using command make directly [[#3101](https://github.com/falcosecurity/falco/pull/3101)] - [@federico-sysdig](https://github.com/federico-sysdig)
* docs(proposal): 20231220-features-adoption-and-deprecation.md [[#2986](https://github.com/falcosecurity/falco/pull/2986)] - [@leogr](https://github.com/leogr)
* build(deps): Bump submodules/falcosecurity-rules from `b499a1d` to `f88b991` [[#3125](https://github.com/falcosecurity/falco/pull/3125)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* docs(README.md): Falco Graduates within the CNCF [[#3124](https://github.com/falcosecurity/falco/pull/3124)] - [@leogr](https://github.com/leogr)
* build(deps): Bump submodules/falcosecurity-rules from `497e011` to `b499a1d` [[#3111](https://github.com/falcosecurity/falco/pull/3111)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore(ci): bumped codeql actions. [[#3114](https://github.com/falcosecurity/falco/pull/3114)] - [@FedeDP](https://github.com/FedeDP)
* Cleanup warnings and smart ptrs [[#3112](https://github.com/falcosecurity/falco/pull/3112)] - [@federico-sysdig](https://github.com/federico-sysdig)
* new(build): add options to use bundled dependencies [[#3092](https://github.com/falcosecurity/falco/pull/3092)] - [@mrgian](https://github.com/mrgian)
* fix(ci): test-dev-packages-arm64 needs build-dev-packages-arm64. [[#3110](https://github.com/falcosecurity/falco/pull/3110)] - [@FedeDP](https://github.com/FedeDP)
* refactor: bump libs and driver, and adopt unique pointers wherever possible [[#3109](https://github.com/falcosecurity/falco/pull/3109)] - [@jasondellaluce](https://github.com/jasondellaluce)
* cleanup: falco_engine test fixture [[#3099](https://github.com/falcosecurity/falco/pull/3099)] - [@federico-sysdig](https://github.com/federico-sysdig)
* refactor: test AtomicSignalHandler.handle_once_wait_consistency [[#3100](https://github.com/falcosecurity/falco/pull/3100)] - [@federico-sysdig](https://github.com/federico-sysdig)
* Cleanup variable use [[#3097](https://github.com/falcosecurity/falco/pull/3097)] - [@sgaist](https://github.com/sgaist)
* cleanup(submodules): dropped testing submodule. [[#3098](https://github.com/falcosecurity/falco/pull/3098)] - [@FedeDP](https://github.com/FedeDP)
* cleanup(ci): make use of falcosecurity/testing provided composite action [[#3093](https://github.com/falcosecurity/falco/pull/3093)] - [@FedeDP](https://github.com/FedeDP)
* Improve const correctness [[#3083](https://github.com/falcosecurity/falco/pull/3083)] - [@sgaist](https://github.com/sgaist)
* Improve exception throwing [[#3085](https://github.com/falcosecurity/falco/pull/3085)] - [@sgaist](https://github.com/sgaist)
* fix(ci): update sync in deb and rpm scripts with acl [[#3062](https://github.com/falcosecurity/falco/pull/3062)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup(tests): consolidate Falco engine and rule loader tests [[#3066](https://github.com/falcosecurity/falco/pull/3066)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup: falco_engine deps and include paths [[#3090](https://github.com/falcosecurity/falco/pull/3090)] - [@federico-sysdig](https://github.com/federico-sysdig)
* fix: Some compiler warnings [[#3089](https://github.com/falcosecurity/falco/pull/3089)] - [@federico-sysdig](https://github.com/federico-sysdig)
* build(deps): Bump submodules/falcosecurity-rules from `0f60976` to `497e011` [[#3081](https://github.com/falcosecurity/falco/pull/3081)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(c++): add missing explicit to single argument constructors [[#3069](https://github.com/falcosecurity/falco/pull/3069)] - [@sgaist](https://github.com/sgaist)
* Improve class initialization [[#3074](https://github.com/falcosecurity/falco/pull/3074)] - [@sgaist](https://github.com/sgaist)
* build(deps): Bump submodules/falcosecurity-rules from `6ed2036` to `0f60976` [[#3078](https://github.com/falcosecurity/falco/pull/3078)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* build(deps): Bump submodules/falcosecurity-rules from `1053b2d` to `6ed2036` [[#3067](https://github.com/falcosecurity/falco/pull/3067)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(c++): add missing overrides [[#3064](https://github.com/falcosecurity/falco/pull/3064)] - [@sgaist](https://github.com/sgaist)
* new(build): prune deb-dev and rpm-dev directories [[#3056](https://github.com/falcosecurity/falco/pull/3056)] - [@LucaGuerra](https://github.com/LucaGuerra)
* refactor(userspace): align falco to gen-event class family deprecation [[#3051](https://github.com/falcosecurity/falco/pull/3051)] - [@jasondellaluce](https://github.com/jasondellaluce)
* build(deps): Bump submodules/falcosecurity-rules from `3cac61c` to `1053b2d` [[#3047](https://github.com/falcosecurity/falco/pull/3047)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix: adopt new libsinsp logger [[#3026](https://github.com/falcosecurity/falco/pull/3026)] - [@therealbobo](https://github.com/therealbobo)
* refactor: cleanup libs relative include paths [[#2936](https://github.com/falcosecurity/falco/pull/2936)] - [@therealbobo](https://github.com/therealbobo)
* chore(ci): bumped rn2md to latest master. [[#3046](https://github.com/falcosecurity/falco/pull/3046)] - [@FedeDP](https://github.com/FedeDP)
* Support alternate rules loader [[#3008](https://github.com/falcosecurity/falco/pull/3008)] - [@mstemm](https://github.com/mstemm)
* fix(ci): fixed release body driver version. [[#3042](https://github.com/falcosecurity/falco/pull/3042)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `c39d31a` to `3f668d0` [[#3039](https://github.com/falcosecurity/falco/pull/3039)] - [@dependabot[bot]](https://github.com/apps/dependabot)
## v0.37.1
Released on 2024-02-13
### Major Changes
* new(docker): added option for insecure http driver download to falco and driver-loader images [[#3058](https://github.com/falcosecurity/falco/pull/3058)] - [@toamto94](https://github.com/toamto94)
### Minor Changes
* update(cmake): bumped falcoctl to v0.7.2 [[#3076](https://github.com/falcosecurity/falco/pull/3076)] - [@FedeDP](https://github.com/FedeDP)
* update(build): link libelf dynamically [[#3048](https://github.com/falcosecurity/falco/pull/3048)] - [@LucaGuerra](https://github.com/LucaGuerra)
### Bug Fixes
* fix(userspace/engine): always consider all rules (even the ones below min_prio) in m_rule_stats_manager [[#3060](https://github.com/falcosecurity/falco/pull/3060)] - [@FedeDP](https://github.com/FedeDP)
### Non user-facing changes
* Added http headers option for driver download in docker images [[#3075](https://github.com/falcosecurity/falco/pull/3075)] - [@toamto94](https://github.com/toamto94)
* fix(build): install libstdc++ in the Wolfi image [[#3053](https://github.com/falcosecurity/falco/pull/3053)] - [@LucaGuerra](https://github.com/LucaGuerra)
## v0.37.0
Released on 2024-01-30
### Breaking Changes
- The deprecated `rate-limiter` mechanism is removed as it is no longer used.
- the deprecated `outputs.rate` Falco config is removed.
- the deprecated `outputs.max_burst` Falco config is removed.
- The deprecated `--userspace` CLI option is removed as it is no longer used.
- The `falco-driver-loader` script will be removed and embedded into falcoctl. The new falcoctl driven implementation will drop:
- `--source-only` CLI option.
- `BPF_USE_LOCAL_KERNEL_SOURCES` environment variable.
- `DRIVER_CURL_OPTIONS` environment variable.
- `FALCO_BPF_PROBE` environment variable is not used by the new falcoctl driver loader, since it is already deprecated and will be removed in the next major version.
Some env vars were renamed:
- `DRIVERS_REPO` env variable has been replaced by `FALCOCTL_DRIVER_NAME` or `--name` command line argument for `falcoctl driver` command
- `DRIVERS_NAME` env variable has been replaced by `FALCOCTL_DRIVER_REPOS`, or `--repo` command line argument for `falcoctl driver` command
- `DRIVER_KERNEL_RELEASE` env variable has been replaced by `--kernelrelease` command line argument for `falcoctl driver install` command
- `DRIVER_KERNEL_VERSION` env variable has been replaced by `--kernelversion` command line argument for `falcoctl driver install` command
- `DRIVER_INSECURE_DOWNLOAD` env variable has been replaced by `--http-insecure` command line argument for `falcoctl driver install` command
- Remove `-K/-k` options from Falco in favor of the new `k8smeta` plugin.
- Drop plugins shipped with Falco since plugins are now be managed by falcoctl.
- Falco 0.37.0 allows environment variables to be expanded even if they are part of a string. This introduces small breaking changes:
- Previously, environment variables used in YAML that were empty or defined as `“”` would be expanded to the default value. This was not consistent with the way YAML was handled in other cases, where we only returned the default values if the node was not defined. Now expanded env vars retain the same behavior of all other variables.
- Falco 0.37.0 will return default value for nodes that cannot be parsed to chosen type.
- `program_output` command will be env-expanded at init time, instead of letting `popen` and thus the `sh` shell expand it. This is technically a breaking change even if no behavioral change is expected. Also, you can avoid env var expansion by using `${{FOO}}` instead of `${FOO}`. It will resolve to `${FOO}` and won't be resolved to the env var value.
### Major Changes
* new!: dropped falco-driver-loader script in favor of new falcoctl driver command [[#2905](https://github.com/falcosecurity/falco/pull/2905)] - [@FedeDP](https://github.com/FedeDP)
* update!: bump libs to latest and deprecation of k8s metadata options and configs [[#2914](https://github.com/falcosecurity/falco/pull/2914)] - [@jasondellaluce](https://github.com/jasondellaluce)
* cleanup(falco)!: remove `outputs.rate` and `outputs.max_burst` from Falco config [[#2841](https://github.com/falcosecurity/falco/pull/2841)] - [@Andreagit97](https://github.com/Andreagit97)
* cleanup(falco)!: remove `--userspace` support [[#2839](https://github.com/falcosecurity/falco/pull/2839)] - [@Andreagit97](https://github.com/Andreagit97)
* new(engine): add selective overrides for Falco rules [[#2981](https://github.com/falcosecurity/falco/pull/2981)] - [@LucaGuerra](https://github.com/LucaGuerra)
* feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the `falco.yaml` file can be used for that purpose. Both are disabled by default. [[#2974](https://github.com/falcosecurity/falco/pull/2974)] - [@sgaist](https://github.com/sgaist)
* new(userspace): support env variable expansion in all yaml, even inside strings. [[#2918](https://github.com/falcosecurity/falco/pull/2918)] - [@FedeDP](https://github.com/FedeDP)
* new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [[#2773](https://github.com/falcosecurity/falco/pull/2773)] - [@vjjmiras](https://github.com/vjjmiras)
* new(falco): print system info when Falco starts [[#2927](https://github.com/falcosecurity/falco/pull/2927)] - [@Andreagit97](https://github.com/Andreagit97)
* new: driver selection in falco.yaml [[#2413](https://github.com/falcosecurity/falco/pull/2413)] - [@therealbobo](https://github.com/therealbobo)
* new(build): enable compilation on win32 and macOS. [[#2889](https://github.com/falcosecurity/falco/pull/2889)] - [@therealbobo](https://github.com/therealbobo)
* feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the `falco.yaml` file. [[#2890](https://github.com/falcosecurity/falco/pull/2890)] - [@sgaist](https://github.com/sgaist)
### Minor Changes
* update(userspace/falco): add `engine_version_semver` key in `/versions` endpoint [[#2899](https://github.com/falcosecurity/falco/pull/2899)] - [@loresuso](https://github.com/loresuso)
* update: default ruleset upgrade to version 3.0 [[#3034](https://github.com/falcosecurity/falco/pull/3034)] - [@leogr](https://github.com/leogr)
* update!(config): soft deprecation of drop stats counters in `syscall_event_drops` [[#3015](https://github.com/falcosecurity/falco/pull/3015)] - [@incertum](https://github.com/incertum)
* update(cmake): bumped falcoctl tool to v0.7.1. [[#3030](https://github.com/falcosecurity/falco/pull/3030)] - [@FedeDP](https://github.com/FedeDP)
* update(rule_loader): deprecate the `append` flag in Falco rules [[#2992](https://github.com/falcosecurity/falco/pull/2992)] - [@Andreagit97](https://github.com/Andreagit97)
* cleanup!(cmake): drop bundled plugins in Falco [[#2997](https://github.com/falcosecurity/falco/pull/2997)] - [@FedeDP](https://github.com/FedeDP)
* update(config): clarify deprecation notices + list all env vars [[#2988](https://github.com/falcosecurity/falco/pull/2988)] - [@incertum](https://github.com/incertum)
* update: now the `watch_config_files` config option monitors file/directory moving and deletion, too [[#2965](https://github.com/falcosecurity/falco/pull/2965)] - [@NitroCao](https://github.com/NitroCao)
* update(userspace): enhancements in rule description feature [[#2934](https://github.com/falcosecurity/falco/pull/2934)] - [@jasondellaluce](https://github.com/jasondellaluce)
* update(userspace/falco): add libsinsp state metrics option [[#2883](https://github.com/falcosecurity/falco/pull/2883)] - [@incertum](https://github.com/incertum)
* update(doc): Add Thought Machine as adopters [[#2919](https://github.com/falcosecurity/falco/pull/2919)] - [@RichardoC](https://github.com/RichardoC)
* update(docs): add Wireshark/Logray as adopter [[#2867](https://github.com/falcosecurity/falco/pull/2867)] - [@geraldcombs](https://github.com/geraldcombs)
* update: engine_version in semver representation [[#2838](https://github.com/falcosecurity/falco/pull/2838)] - [@loresuso](https://github.com/loresuso)
* update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [[#2817](https://github.com/falcosecurity/falco/pull/2817)] - [@jasondellaluce](https://github.com/jasondellaluce)
### Bug Fixes
* fix(userspace/metric): minor fixes in new libsinsp state metrics handling [[#3033](https://github.com/falcosecurity/falco/pull/3033)] - [@incertum](https://github.com/incertum)
* fix(userspace/engine): avoid storing escaped strings in engine defs [[#3028](https://github.com/falcosecurity/falco/pull/3028)] - [@jasondellaluce](https://github.com/jasondellaluce)
* fix(userspace/engine): cache latest rules compilation output [[#2900](https://github.com/falcosecurity/falco/pull/2900)] - [@jasondellaluce](https://github.com/jasondellaluce)
* fix(userspace/engine): solve description of macro-only rules [[#2898](https://github.com/falcosecurity/falco/pull/2898)] - [@jasondellaluce](https://github.com/jasondellaluce)
* fix(userspace/engine): fix memory leak [[#2877](https://github.com/falcosecurity/falco/pull/2877)] - [@therealbobo](https://github.com/therealbobo)
### Non user-facing changes
* fix: nlohmann_json lib include path [[#3032](https://github.com/falcosecurity/falco/pull/3032)] - [@federico-sysdig](https://github.com/federico-sysdig)
* chore: bump falco rules [[#3021](https://github.com/falcosecurity/falco/pull/3021)] - [@Andreagit97](https://github.com/Andreagit97)
* chore: bump Falco to libs 0.14.1 [[#3020](https://github.com/falcosecurity/falco/pull/3020)] - [@Andreagit97](https://github.com/Andreagit97)
* chore(build): remove outdated development libs [[#2946](https://github.com/falcosecurity/falco/pull/2946)] - [@federico-sysdig](https://github.com/federico-sysdig)
* chore(falco): bump Falco to `000d576` libs commit [[#2944](https://github.com/falcosecurity/falco/pull/2944)] - [@Andreagit97](https://github.com/Andreagit97)
* fix(gha): update rpmsign [[#2856](https://github.com/falcosecurity/falco/pull/2856)] - [@LucaGuerra](https://github.com/LucaGuerra)
* build(deps): Bump submodules/falcosecurity-rules from `424b258` to `1221b9e` [[#3000](https://github.com/falcosecurity/falco/pull/3000)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* build(deps): Bump submodules/falcosecurity-rules from `2ac430b` to `c39d31a` [[#3019](https://github.com/falcosecurity/falco/pull/3019)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* cleanup(falco.yaml): rename `none` in `nodriver` [[#3012](https://github.com/falcosecurity/falco/pull/3012)] - [@Andreagit97](https://github.com/Andreagit97)
* update(config): graduate outputs_queue to stable [[#3016](https://github.com/falcosecurity/falco/pull/3016)] - [@incertum](https://github.com/incertum)
* update(cmake): bump falcoctl to v0.7.0. [[#3009](https://github.com/falcosecurity/falco/pull/3009)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `1221b9e` to `2ac430b` [[#3007](https://github.com/falcosecurity/falco/pull/3007)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore(ci): bumped rn2md to latest master. [[#3006](https://github.com/falcosecurity/falco/pull/3006)] - [@FedeDP](https://github.com/FedeDP)
* chore: bump Falco to latest libs [[#3002](https://github.com/falcosecurity/falco/pull/3002)] - [@Andreagit97](https://github.com/Andreagit97)
* chore: bump driver version [[#2998](https://github.com/falcosecurity/falco/pull/2998)] - [@Andreagit97](https://github.com/Andreagit97)
* Add addl source related methods [[#2939](https://github.com/falcosecurity/falco/pull/2939)] - [@mstemm](https://github.com/mstemm)
* build(deps): Bump submodules/falcosecurity-rules from `cd33bc3` to `424b258` [[#2993](https://github.com/falcosecurity/falco/pull/2993)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* cleanup(engine): clarify deprecation notice for engines [[#2987](https://github.com/falcosecurity/falco/pull/2987)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(cmake): bumped falcoctl to v0.7.0-rc1. [[#2983](https://github.com/falcosecurity/falco/pull/2983)] - [@FedeDP](https://github.com/FedeDP)
* chore(ci): revert #2961. [[#2984](https://github.com/falcosecurity/falco/pull/2984)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-testing from `930170b` to `9b9630e` [[#2980](https://github.com/falcosecurity/falco/pull/2980)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore: bump Falco to latest libs [[#2977](https://github.com/falcosecurity/falco/pull/2977)] - [@Andreagit97](https://github.com/Andreagit97)
* build(deps): Bump submodules/falcosecurity-rules from `262f569` to `cd33bc3` [[#2976](https://github.com/falcosecurity/falco/pull/2976)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* Allow enabling rules by ruleset id in addition to name [[#2920](https://github.com/falcosecurity/falco/pull/2920)] - [@mstemm](https://github.com/mstemm)
* chore(ci): enable aarch64 falco driver loader tests. [[#2961](https://github.com/falcosecurity/falco/pull/2961)] - [@FedeDP](https://github.com/FedeDP)
* chore(unit_tests): added more tests for yaml env vars expansion. [[#2972](https://github.com/falcosecurity/falco/pull/2972)] - [@FedeDP](https://github.com/FedeDP)
* chore(falco.yaml): use HOME env var for ebpf probe path. [[#2971](https://github.com/falcosecurity/falco/pull/2971)] - [@FedeDP](https://github.com/FedeDP)
* chore: bump falco to latest libs [[#2970](https://github.com/falcosecurity/falco/pull/2970)] - [@Andreagit97](https://github.com/Andreagit97)
* build(deps): Bump submodules/falcosecurity-rules from `dd38952` to `262f569` [[#2969](https://github.com/falcosecurity/falco/pull/2969)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* update(readme): add actuated.dev badge [[#2967](https://github.com/falcosecurity/falco/pull/2967)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(cmake,docker): bumped falcoctl to v0.7.0-beta5. [[#2968](https://github.com/falcosecurity/falco/pull/2968)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `64e2adb` to `dd38952` [[#2959](https://github.com/falcosecurity/falco/pull/2959)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(docker): small fixes in docker entrypoints for new driver loader. [[#2966](https://github.com/falcosecurity/falco/pull/2966)] - [@FedeDP](https://github.com/FedeDP)
* chore(build): allow usage of non-bundled nlohmann-json [[#2947](https://github.com/falcosecurity/falco/pull/2947)] - [@federico-sysdig](https://github.com/federico-sysdig)
* update(ci): enable actuated.dev [[#2945](https://github.com/falcosecurity/falco/pull/2945)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup: fix several warnings from a Clang build [[#2948](https://github.com/falcosecurity/falco/pull/2948)] - [@federico-sysdig](https://github.com/federico-sysdig)
* chore(docker/falco): add back some deps to falco docker image. [[#2932](https://github.com/falcosecurity/falco/pull/2932)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-testing from `92c313f` to `5248e6d` [[#2937](https://github.com/falcosecurity/falco/pull/2937)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* build(deps): Bump submodules/falcosecurity-rules from `e206c1a` to `8f0520f` [[#2904](https://github.com/falcosecurity/falco/pull/2904)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* cleanup(falco): remove decode_uri as it is no longer used [[#2933](https://github.com/falcosecurity/falco/pull/2933)] - [@LucaGuerra](https://github.com/LucaGuerra)
* update(engine): port decode_uri in falco engine [[#2912](https://github.com/falcosecurity/falco/pull/2912)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(falco): update to libs on nov 28th [[#2929](https://github.com/falcosecurity/falco/pull/2929)] - [@LucaGuerra](https://github.com/LucaGuerra)
* cleanup(falco): remove `init` in the configuration constructor [[#2917](https://github.com/falcosecurity/falco/pull/2917)] - [@Andreagit97](https://github.com/Andreagit97)
* build(deps): Bump submodules/falcosecurity-rules from `8f0520f` to `64e2adb` [[#2908](https://github.com/falcosecurity/falco/pull/2908)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* cleanup(userspace/engine): remove legacy k8saudit implementation [[#2913](https://github.com/falcosecurity/falco/pull/2913)] - [@jasondellaluce](https://github.com/jasondellaluce)
* fix(gha): disable branch protection rule trigger for scorecard [[#2911](https://github.com/falcosecurity/falco/pull/2911)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(gha): set cosign-installer to v3.1.2 [[#2901](https://github.com/falcosecurity/falco/pull/2901)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(docs): sync changelog for 0.36.2. [[#2894](https://github.com/falcosecurity/falco/pull/2894)] - [@FedeDP](https://github.com/FedeDP)
* Run OpenSSF Scorecard in pipeline [[#2888](https://github.com/falcosecurity/falco/pull/2888)] - [@maxgio92](https://github.com/maxgio92)
* cleanup: replace banned.h with semgrep [[#2881](https://github.com/falcosecurity/falco/pull/2881)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(gha): upgrade GitHub actions [[#2876](https://github.com/falcosecurity/falco/pull/2876)] - [@LucaGuerra](https://github.com/LucaGuerra)
* build(deps): Bump submodules/falcosecurity-rules from `a22d0d7` to `e206c1a` [[#2865](https://github.com/falcosecurity/falco/pull/2865)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* build(deps): Bump submodules/falcosecurity-rules from `d119706` to `a22d0d7` [[#2860](https://github.com/falcosecurity/falco/pull/2860)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* fix(gha): use fedora instead of centos 7 for package publishing [[#2854](https://github.com/falcosecurity/falco/pull/2854)] - [@LucaGuerra](https://github.com/LucaGuerra)
* chore(gha): pin versions to hashes [[#2849](https://github.com/falcosecurity/falco/pull/2849)] - [@LucaGuerra](https://github.com/LucaGuerra)
* build(deps): Bump submodules/falcosecurity-rules from `c366d5b` to `d119706` [[#2847](https://github.com/falcosecurity/falco/pull/2847)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* new(ci): properly link libs and driver releases linked to a Falco release [[#2846](https://github.com/falcosecurity/falco/pull/2846)] - [@FedeDP](https://github.com/FedeDP)
* build(deps): Bump submodules/falcosecurity-rules from `7a7cf24` to `c366d5b` [[#2842](https://github.com/falcosecurity/falco/pull/2842)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* build(deps): Bump submodules/falcosecurity-rules from `77ba57a` to `7a7cf24` [[#2836](https://github.com/falcosecurity/falco/pull/2836)] - [@dependabot[bot]](https://github.com/apps/dependabot)
* chore(ci): bumped rn2md to latest master. [[#2844](https://github.com/falcosecurity/falco/pull/2844)] - [@FedeDP](https://github.com/FedeDP)
## v0.36.2
Released on 2023-10-27
NO CHANGES IN FALCO, ALL CHANGES IN LIBS.
## v0.36.1
Released on 2023-10-16
### Major Changes
### Minor Changes
* feat(userspace): remove experimental outputs queue recovery strategies [[#2863](https://github.com/falcosecurity/falco/pull/2863)] - [@incertum](https://github.com/incertum)
### Bug Fixes
* fix(userspace/falco): timer_delete() workaround due to bug in older GLIBC [[#2851](https://github.com/falcosecurity/falco/pull/2851)] - [@incertum](https://github.com/incertum)
## v0.36.0
Released on 2023-09-26
### Breaking Changes
- The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as `falco-rules` is now a _stable_ rule file. This file **contains a much smaller number of rules** that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into `falco-incubating-rules` and `falco-sandbox-rules`. For more information, see the [rules repository](https://github.com/falcosecurity/rules)
- The main `falcosecurity/falco` container image and its `falco-driver-loader` counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as `falcosecurity/falco-driver-loader-legacy`.
- The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option `http_output.echo` in `falco.yaml`.
- The `--list-syscall-events` command line option has been replaced by `--list-events` which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
- The semantics of `proc.exepath` have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
- The `-d` daemonize option has been removed.
- The `-p` option is now changed:
- when only `-pc` is set Falco will print `container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name`
- when `-pk` is set it will print as above, but with `k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name` appended
### Major Changes
* new(falco-driver-loader): --source-only now prints the values as env vars [[#2353](https://github.com/falcosecurity/falco/pull/2353)] - [@steakunderscore](https://github.com/steakunderscore)
* new(docker): allow passing options to falco-driver-loader from the driver loader container [[#2781](https://github.com/falcosecurity/falco/pull/2781)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new(docker): add experimental falco-distroless image based on Wolfi [[#2768](https://github.com/falcosecurity/falco/pull/2768)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new: the legacy falco image is available as driver-loader-legacy [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
* new: added option to enable/dis
gitextract_4qc7e9o1/
├── .circleci/
│ └── OWNERS
├── .clang-format
├── .clang-format-ignore
├── .cmake-format.json
├── .codespellignore
├── .dockerignore
├── .git-blame-ignore-revs
├── .github/
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── dependabot.yml
│ ├── release_template.md
│ └── workflows/
│ ├── bump-libs.yaml
│ ├── ci.yml
│ ├── codeql.yaml
│ ├── codespell.yml
│ ├── engine-version-weakcheck.yaml
│ ├── format.yaml
│ ├── insecure-api.yaml
│ ├── master.yaml
│ ├── release.yaml
│ ├── reusable_build_dev.yaml
│ ├── reusable_build_docker.yaml
│ ├── reusable_build_packages.yaml
│ ├── reusable_fetch_version.yaml
│ ├── reusable_publish_docker.yaml
│ ├── reusable_publish_packages.yaml
│ ├── reusable_test_packages.yaml
│ ├── scorecard.yaml
│ └── staticanalysis.yaml
├── .gitignore
├── .gitmodules
├── .pre-commit-config.yaml
├── .yamllint.conf
├── ADOPTERS.md
├── CHANGELOG.md
├── CMakeLists.txt
├── COPYING
├── Contributing.md
├── LICENSE
├── Makefile
├── OWNERS
├── README.md
├── RELEASE.md
├── brand/
│ └── README.md
├── cmake/
│ ├── cpack/
│ │ ├── CMakeCPackOptions.cmake
│ │ └── debian/
│ │ └── conffiles
│ └── modules/
│ ├── CPackConfig.cmake
│ ├── CompilerFlags.cmake
│ ├── Coverage.cmake
│ ├── cares.cmake
│ ├── copy_files_to_build_dir.cmake
│ ├── cpp-httplib.cmake
│ ├── curl.cmake
│ ├── cxxopts.cmake
│ ├── driver-repo/
│ │ └── CMakeLists.txt
│ ├── driver.cmake
│ ├── falco-version.cmake
│ ├── falcoctl.cmake
│ ├── falcosecurity-libs-repo/
│ │ └── CMakeLists.txt
│ ├── falcosecurity-libs.cmake
│ ├── gperftools.cmake
│ ├── jemalloc.cmake
│ ├── mimalloc.cmake
│ ├── njson.cmake
│ ├── openssl.cmake
│ ├── rules.cmake
│ ├── static-analysis.cmake
│ └── yaml-cpp.cmake
├── config/
│ ├── falco.container_plugin.yaml
│ └── falco.iso8601_timeformat.yaml
├── docker/
│ ├── OWNERS
│ ├── README.md
│ ├── docker-compose/
│ │ ├── README.md
│ │ ├── config/
│ │ │ └── http_output.yml
│ │ └── docker-compose.yaml
│ ├── driver-loader/
│ │ ├── Dockerfile
│ │ └── docker-entrypoint.sh
│ ├── driver-loader-buster/
│ │ ├── Dockerfile
│ │ └── docker-entrypoint.sh
│ ├── falco/
│ │ └── Dockerfile
│ └── falco-debian/
│ └── Dockerfile
├── falco.yaml
├── proposals/
│ ├── 20190826-grpc-outputs.md
│ ├── 20190909-psp-rules-support.md
│ ├── 20191030-api.md
│ ├── 20191217-rules-naming-convention.md
│ ├── 20200506-artifacts-scope-part-1.md
│ ├── 20200506-artifacts-scope-part-2.md
│ ├── 20200818-artifacts-storage.md
│ ├── 20200828-structured-exception-handling.md
│ ├── 20200901-artifacts-cleanup.md
│ ├── 20201025-drivers-storage-s3.md
│ ├── 20210119-libraries-contribution.md
│ ├── 20210501-plugin-system.md
│ ├── 20221129-artifacts-distribution.md
│ ├── 20230511-roadmap-management.md
│ ├── 20230620-anomaly-detection-framework.md
│ ├── 20231220-features-adoption-and-deprecation.md
│ ├── 20251205-multi-thread-falco-design.md
│ └── 20251215-legacy-bpf-grpc-output-gvisor-engine-deprecation.md
├── scripts/
│ ├── CMakeLists.txt
│ ├── debian/
│ │ ├── postinst.in
│ │ ├── postrm.in
│ │ └── prerm.in
│ ├── description.txt
│ ├── falcoctl/
│ │ └── falcoctl.yaml.in
│ ├── publish-bin
│ ├── publish-deb
│ ├── publish-rpm
│ ├── publish-wasm
│ ├── rpm/
│ │ ├── postinstall.in
│ │ ├── postuninstall.in
│ │ └── preuninstall.in
│ └── systemd/
│ ├── falco-custom.service
│ ├── falco-kmod-inject.service
│ ├── falco-kmod.service
│ ├── falco-modern-bpf.service
│ └── falcoctl-artifact-follow.service
├── semgrep/
│ ├── insecure-api-gets.yaml
│ ├── insecure-api-sprintf-vsprintf.yaml
│ ├── insecure-api-strcpy-stpcpy-strcat.yaml
│ └── insecure-api-strn.yaml
├── tools/
│ └── local_hooks/
│ └── dco-pre-commit-msg.sh
├── unit_tests/
│ ├── CMakeLists.txt
│ ├── README.md
│ ├── engine/
│ │ ├── test_add_source.cpp
│ │ ├── test_alt_rule_loader.cpp
│ │ ├── test_enable_rule.cpp
│ │ ├── test_extra_output.cpp
│ │ ├── test_falco_utils.cpp
│ │ ├── test_filter_details_resolver.cpp
│ │ ├── test_filter_macro_resolver.cpp
│ │ ├── test_filter_warning_resolver.cpp
│ │ ├── test_plugin_requirements.cpp
│ │ ├── test_rule_loader.cpp
│ │ └── test_rulesets.cpp
│ ├── falco/
│ │ ├── app/
│ │ │ └── actions/
│ │ │ ├── app_action_helpers.h
│ │ │ ├── test_configure_interesting_sets.cpp
│ │ │ ├── test_configure_syscall_buffer_num.cpp
│ │ │ ├── test_load_config.cpp
│ │ │ └── test_select_event_sources.cpp
│ │ ├── test_atomic_signal_handler.cpp
│ │ ├── test_capture.cpp
│ │ ├── test_configs/
│ │ │ ├── engine_kmod_config.yaml
│ │ │ └── engine_modern_config.yaml
│ │ ├── test_configuration.cpp
│ │ ├── test_configuration_config_files.cpp
│ │ ├── test_configuration_env_vars.cpp
│ │ ├── test_configuration_output_options.cpp
│ │ ├── test_configuration_rule_selection.cpp
│ │ └── test_configuration_schema.cpp
│ ├── falco_test_var.h.in
│ ├── test_falco_engine.cpp
│ └── test_falco_engine.h
└── userspace/
├── engine/
│ ├── CMakeLists.txt
│ ├── OWNERS
│ ├── evttype_index_ruleset.cpp
│ ├── evttype_index_ruleset.h
│ ├── falco_common.cpp
│ ├── falco_common.h
│ ├── falco_engine.cpp
│ ├── falco_engine.h
│ ├── falco_engine_version.h
│ ├── falco_load_result.cpp
│ ├── falco_load_result.h
│ ├── falco_rule.h
│ ├── falco_source.h
│ ├── falco_utils.cpp
│ ├── falco_utils.h
│ ├── field_formatter.cpp
│ ├── field_formatter.h
│ ├── filter_details_resolver.cpp
│ ├── filter_details_resolver.h
│ ├── filter_macro_resolver.cpp
│ ├── filter_macro_resolver.h
│ ├── filter_ruleset.cpp
│ ├── filter_ruleset.h
│ ├── filter_warning_resolver.cpp
│ ├── filter_warning_resolver.h
│ ├── formats.cpp
│ ├── formats.h
│ ├── indexable_ruleset.h
│ ├── indexed_vector.h
│ ├── logger.cpp
│ ├── logger.h
│ ├── output_format.h
│ ├── rule_json_schema.h
│ ├── rule_loader.cpp
│ ├── rule_loader.h
│ ├── rule_loader_collector.cpp
│ ├── rule_loader_collector.h
│ ├── rule_loader_compile_output.h
│ ├── rule_loader_compiler.cpp
│ ├── rule_loader_compiler.h
│ ├── rule_loader_reader.cpp
│ ├── rule_loader_reader.h
│ ├── rule_loading_messages.h
│ ├── stats_manager.cpp
│ ├── stats_manager.h
│ └── yaml_helper.h
└── falco/
├── CMakeLists.txt
├── app/
│ ├── actions/
│ │ ├── actions.h
│ │ ├── cleanup_outputs.cpp
│ │ ├── close_inspectors.cpp
│ │ ├── configure_interesting_sets.cpp
│ │ ├── configure_syscall_buffer_num.cpp
│ │ ├── configure_syscall_buffer_size.cpp
│ │ ├── create_signal_handlers.cpp
│ │ ├── event_formatter.cpp
│ │ ├── event_formatter.h
│ │ ├── helpers.h
│ │ ├── helpers_generic.cpp
│ │ ├── helpers_inspector.cpp
│ │ ├── init_falco_engine.cpp
│ │ ├── init_inspectors.cpp
│ │ ├── init_outputs.cpp
│ │ ├── list_fields.cpp
│ │ ├── list_plugins.cpp
│ │ ├── load_config.cpp
│ │ ├── load_plugins.cpp
│ │ ├── load_rules_files.cpp
│ │ ├── pidfile.cpp
│ │ ├── print_config_schema.cpp
│ │ ├── print_generated_gvisor_config.cpp
│ │ ├── print_help.cpp
│ │ ├── print_ignored_events.cpp
│ │ ├── print_kernel_version.cpp
│ │ ├── print_page_size.cpp
│ │ ├── print_plugin_info.cpp
│ │ ├── print_rule_schema.cpp
│ │ ├── print_support.cpp
│ │ ├── print_syscall_events.cpp
│ │ ├── print_version.cpp
│ │ ├── process_events.cpp
│ │ ├── select_event_sources.cpp
│ │ ├── start_webserver.cpp
│ │ └── validate_rules_files.cpp
│ ├── app.cpp
│ ├── app.h
│ ├── options.cpp
│ ├── options.h
│ ├── restart_handler.cpp
│ ├── restart_handler.h
│ ├── run_result.h
│ ├── signals.h
│ └── state.h
├── atomic_signal_handler.h
├── config_falco.h.in
├── config_json_schema.h
├── configuration.cpp
├── configuration.h
├── event_drops.cpp
├── event_drops.h
├── falco.cpp
├── falco_metrics.cpp
├── falco_metrics.h
├── falco_outputs.cpp
├── falco_outputs.h
├── falco_semaphore.h
├── outputs.h
├── outputs_file.cpp
├── outputs_file.h
├── outputs_http.cpp
├── outputs_http.h
├── outputs_program.cpp
├── outputs_program.h
├── outputs_stdout.cpp
├── outputs_stdout.h
├── outputs_syslog.cpp
├── outputs_syslog.h
├── stats_writer.cpp
├── stats_writer.h
├── versions_info.cpp
├── versions_info.h
├── watchdog.h
├── webserver.cpp
└── webserver.h
SYMBOL INDEX (414 symbols across 100 files)
FILE: unit_tests/engine/test_add_source.cpp
class test_ruleset_factory (line 30) | class test_ruleset_factory : public evttype_index_ruleset_factory {
method test_ruleset_factory (line 32) | explicit test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> fa...
method new_ruleset (line 39) | inline std::shared_ptr<filter_ruleset> new_ruleset() override { return...
function TEST (line 45) | TEST(AddSource, basic) {
FILE: unit_tests/engine/test_alt_rule_loader.cpp
type test_object_info (line 38) | struct test_object_info {
type test_compile_output (line 43) | struct test_compile_output : public rule_loader::compile_output {
method test_compile_output (line 44) | test_compile_output() = default;
method clone (line 46) | virtual std::unique_ptr<compile_output> clone() const override {
class test_compiler (line 53) | class test_compiler : public rule_loader::compiler {
method test_compiler (line 55) | test_compiler() = default;
method new_compile_output (line 58) | std::unique_ptr<rule_loader::compile_output> new_compile_output() over...
class test_collector (line 67) | class test_collector : public rule_loader::collector {
method test_collector (line 69) | test_collector() = default;
class test_reader (line 75) | class test_reader : public rule_loader::reader {
method test_reader (line 77) | test_reader() = default;
method create_context (line 81) | rule_loader::context create_context(const YAML::Node& item,
method read_item (line 89) | void read_item(rule_loader::configuration& cfg,
class test_ruleset (line 114) | class test_ruleset : public evttype_index_ruleset {
method test_ruleset (line 116) | explicit test_ruleset(std::shared_ptr<sinsp_filter_factory> factory):
method add_compile_output (line 120) | void add_compile_output(const rule_loader::compile_output& compile_out...
class test_ruleset_factory (line 138) | class test_ruleset_factory : public filter_ruleset_factory {
method test_ruleset_factory (line 140) | explicit test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> fa...
method new_ruleset (line 145) | inline std::shared_ptr<filter_ruleset> new_ruleset() override {
function create_configuration (line 208) | static std::shared_ptr<rule_loader::configuration> create_configuration(
function load_rules (line 229) | static void load_rules(sinsp& inspector,
function TEST (line 247) | TEST(engine_loader_alt_loader, load_rules) {
function TEST (line 268) | TEST(engine_loader_alt_loader, pass_compile_output_to_ruleset) {
function TEST (line 291) | TEST(engine_loader_alt_loader, falco_engine_alternate_loader) {
function TEST (line 328) | TEST(engine_loader_alt_loader, clone_compile_output) {
FILE: unit_tests/engine/test_enable_rule.cpp
function TEST_F (line 83) | TEST_F(test_falco_engine, enable_rule_name) {
function TEST_F (line 119) | TEST_F(test_falco_engine, enable_rule_tags) {
function TEST_F (line 146) | TEST_F(test_falco_engine, enable_disabled_rule_by_tag) {
function TEST_F (line 161) | TEST_F(test_falco_engine, enable_rule_id) {
function TEST_F (line 201) | TEST_F(test_falco_engine, enable_rule_name_exact) {
function TEST_F (line 243) | TEST_F(test_falco_engine, enable_rule_name_wildcard) {
FILE: unit_tests/engine/test_extra_output.cpp
function TEST_F (line 22) | TEST_F(test_falco_engine, extra_format_all) {
function TEST_F (line 38) | TEST_F(test_falco_engine, extra_format_by_rule) {
function TEST_F (line 60) | TEST_F(test_falco_engine, extra_format_by_tag_rule) {
function TEST_F (line 95) | TEST_F(test_falco_engine, extra_format_empty_container_info) {
function TEST_F (line 111) | TEST_F(test_falco_engine, extra_fields_all) {
FILE: unit_tests/engine/test_falco_utils.cpp
function TEST (line 21) | TEST(FalcoUtils, is_unix_scheme) {
function TEST (line 40) | TEST(FalcoUtils, parse_prometheus_interval) {
function TEST (line 77) | TEST(FalcoUtils, sanitize_rule_name) {
function TEST (line 86) | TEST(FalcoUtils, matches_wildcard) {
FILE: unit_tests/engine/test_filter_details_resolver.cpp
function TEST (line 21) | TEST(DetailsResolver, resolve_ast) {
FILE: unit_tests/engine/test_filter_macro_resolver.cpp
function find_value (line 23) | static std::vector<filter_macro_resolver::value_info>::const_iterator fi...
function TEST (line 36) | TEST(MacroResolver, should_resolve_macros_on_a_filter_AST) {
function TEST (line 76) | TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_single_node) {
function TEST (line 108) | TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_multiple_macro...
function TEST (line 155) | TEST(MacroResolver, should_resolve_macros_on_a_filter_AST_nested_macros) {
function TEST (line 210) | TEST(MacroResolver, should_find_unknown_macros) {
function TEST (line 229) | TEST(MacroResolver, should_find_unknown_nested_macros) {
function TEST (line 257) | TEST(MacroResolver, should_undefine_macro) {
function TEST (line 287) | TEST(MacroResolver, should_clone_macro_AST) {
FILE: unit_tests/engine/test_filter_warning_resolver.cpp
function warns (line 22) | static bool warns(const std::string& condition) {
function TEST (line 30) | TEST(WarningResolver, warnings_in_filtering_conditions) {
FILE: unit_tests/engine/test_plugin_requirements.cpp
function check_requirements (line 22) | static bool check_requirements(std::string& err,
function TEST (line 35) | TEST(PluginRequirements, check_plugin_requirements_success) {
function TEST (line 128) | TEST(PluginRequirements, check_plugin_requirements_reject) {
FILE: unit_tests/engine/test_rule_loader.cpp
function TEST_F (line 12) | TEST_F(test_falco_engine, list_append) {
function TEST_F (line 36) | TEST_F(test_falco_engine, condition_append) {
function TEST_F (line 62) | TEST_F(test_falco_engine, rule_override_append) {
function TEST_F (line 98) | TEST_F(test_falco_engine, rule_append) {
function TEST_F (line 120) | TEST_F(test_falco_engine, rule_override_replace) {
function TEST_F (line 151) | TEST_F(test_falco_engine, rule_override_append_replace) {
function TEST_F (line 187) | TEST_F(test_falco_engine, rule_incorrect_override_type) {
function TEST_F (line 212) | TEST_F(test_falco_engine, rule_incorrect_append_override) {
function TEST_F (line 238) | TEST_F(test_falco_engine, macro_override_append_before_macro_definition) {
function TEST_F (line 263) | TEST_F(test_falco_engine, macro_override_replace_before_macro_definition) {
function TEST_F (line 288) | TEST_F(test_falco_engine, macro_append_before_macro_definition) {
function TEST_F (line 312) | TEST_F(test_falco_engine, macro_override_append_after_macro_definition) {
function TEST_F (line 338) | TEST_F(test_falco_engine, macro_append_after_macro_definition) {
function TEST_F (line 363) | TEST_F(test_falco_engine, rule_override_append_before_rule_definition) {
function TEST_F (line 383) | TEST_F(test_falco_engine, rule_override_replace_before_rule_definition) {
function TEST_F (line 403) | TEST_F(test_falco_engine, rule_append_before_rule_definition) {
function TEST_F (line 422) | TEST_F(test_falco_engine, rule_override_append_after_rule_definition) {
function TEST_F (line 442) | TEST_F(test_falco_engine, rule_append_after_rule_definition) {
function TEST_F (line 461) | TEST_F(test_falco_engine, list_override_append_wrong_key) {
function TEST_F (line 490) | TEST_F(test_falco_engine, list_override_append_before_list_definition) {
function TEST_F (line 514) | TEST_F(test_falco_engine, list_override_replace_before_list_definition) {
function TEST_F (line 539) | TEST_F(test_falco_engine, list_append_before_list_definition) {
function TEST_F (line 562) | TEST_F(test_falco_engine, list_override_append_after_list_definition) {
function TEST_F (line 586) | TEST_F(test_falco_engine, list_append_after_list_definition) {
function TEST_F (line 608) | TEST_F(test_falco_engine, rule_override_without_field) {
function TEST_F (line 629) | TEST_F(test_falco_engine, rule_override_extra_field) {
function TEST_F (line 651) | TEST_F(test_falco_engine, missing_enabled_key_with_override) {
function TEST_F (line 675) | TEST_F(test_falco_engine, rule_override_with_enabled) {
function TEST_F (line 701) | TEST_F(test_falco_engine, rule_override_exceptions_required_fields) {
function TEST_F (line 738) | TEST_F(test_falco_engine, rule_not_enabled) {
function TEST_F (line 754) | TEST_F(test_falco_engine, rule_enabled_warning) {
function TEST_F (line 775) | TEST_F(test_falco_engine, rule_enabled_is_ignored_by_append) {
function TEST_F (line 798) | TEST_F(test_falco_engine, rewrite_rule) {
function TEST_F (line 824) | TEST_F(test_falco_engine, required_engine_version_semver) {
function TEST_F (line 842) | TEST_F(test_falco_engine, required_engine_version_not_semver) {
function TEST_F (line 860) | TEST_F(test_falco_engine, required_engine_version_invalid) {
function TEST_F (line 879) | TEST_F(test_falco_engine, list_value_with_escaping) {
function TEST_F (line 909) | TEST_F(test_falco_engine, exceptions_condition) {
function TEST_F (line 931) | TEST_F(test_falco_engine, macro_name_invalid) {
function TEST_F (line 943) | TEST_F(test_falco_engine, list_name_invalid) {
function TEST_F (line 965) | TEST_F(test_falco_engine, exceptions_append_no_values) {
function TEST_F (line 991) | TEST_F(test_falco_engine, exceptions_override_no_values) {
function TEST_F (line 1018) | TEST_F(test_falco_engine, exceptions_names_not_unique) {
function TEST_F (line 1051) | TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous) {
function TEST_F (line 1069) | TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_quoted) {
function TEST_F (line 1087) | TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_space_qu...
function TEST_F (line 1105) | TEST_F(test_falco_engine, exceptions_values_rhs_transformer) {
function TEST_F (line 1121) | TEST_F(test_falco_engine, exceptions_values_transformer_value_quoted) {
function TEST_F (line 1137) | TEST_F(test_falco_engine, exceptions_values_transformer_space) {
function TEST_F (line 1156) | TEST_F(test_falco_engine, exceptions_values_transformer_space_quoted) {
function TEST_F (line 1175) | TEST_F(test_falco_engine, exceptions_fields_transformer) {
function TEST_F (line 1192) | TEST_F(test_falco_engine, exceptions_fields_transformer_quoted) {
function TEST_F (line 1209) | TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
function TEST_F (line 1226) | TEST_F(test_falco_engine, redefine_rule_different_source) {
function TEST_F (line 1247) | TEST_F(test_falco_engine, append_across_sources) {
function TEST_F (line 1269) | TEST_F(test_falco_engine, selective_replace_across_sources) {
function TEST_F (line 1289) | TEST_F(test_falco_engine, empty_source_addl_rule) {
function TEST_F (line 1310) | TEST_F(test_falco_engine, empty_string_source_addl_rule) {
function TEST_F (line 1333) | TEST_F(test_falco_engine, rule_with_warn_evttypes) {
function TEST_F (line 1347) | TEST_F(test_falco_engine, rule_with_skip_if_unknown_filter) {
function TEST_F (line 1361) | TEST_F(test_falco_engine, override_replace_warn_evttypes) {
function TEST_F (line 1380) | TEST_F(test_falco_engine, override_replace_capture) {
function TEST_F (line 1398) | TEST_F(test_falco_engine, override_replace_tags) {
function TEST_F (line 1419) | TEST_F(test_falco_engine, rule_unknown_key) {
function TEST_F (line 1433) | TEST_F(test_falco_engine, list_unknown_key) {
function TEST_F (line 1450) | TEST_F(test_falco_engine, macro_unknown_key) {
function TEST_F (line 1467) | TEST_F(test_falco_engine, list_cross_type_key_priority) {
function TEST_F (line 1487) | TEST_F(test_falco_engine, deprecated_field_in_output) {
function TEST_F (line 1505) | TEST_F(test_falco_engine, no_deprecated_field_warning_in_output) {
FILE: unit_tests/engine/test_rulesets.cpp
function create_factory (line 26) | static std::shared_ptr<sinsp_filter_factory> create_factory(sinsp* inspe...
function create_ruleset (line 31) | static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<si...
function create_ast (line 35) | static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(
function create_filter (line 41) | static std::shared_ptr<sinsp_filter> create_filter(std::shared_ptr<sinsp...
function TEST (line 47) | TEST(Ruleset, enable_disable_rules_using_names) {
function TEST (line 139) | TEST(Ruleset, enable_disable_rules_using_tags) {
FILE: unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
function _order (line 40) | static std::set<std::string> _order(const strset_t& s) {
function ruleset_from_filters (line 58) | static std::string ruleset_from_filters(const strset_t& filters) {
function TEST_F (line 73) | TEST_F(test_falco_engine, engine_codes_syscalls_set) {
function TEST_F (line 112) | TEST_F(test_falco_engine, preconditions_postconditions) {
function TEST_F (line 141) | TEST_F(test_falco_engine, engine_codes_nonsyscalls_set) {
function TEST_F (line 195) | TEST_F(test_falco_engine, selection_not_allevents) {
function TEST_F (line 251) | TEST_F(test_falco_engine, selection_allevents) {
function TEST_F (line 299) | TEST_F(test_falco_engine, selection_generic_evts) {
function TEST_F (line 345) | TEST_F(test_falco_engine, selection_custom_base_set) {
function TEST_F (line 450) | TEST_F(test_falco_engine, selection_custom_base_set_repair) {
function TEST_F (line 491) | TEST_F(test_falco_engine, selection_empty_custom_base_set_repair) {
function TEST_F (line 529) | TEST_F(test_falco_engine, selection_base_syscalls_all) {
function TEST (line 566) | TEST(ConfigureInterestingSets, ignored_set_expected_size) {
FILE: unit_tests/falco/app/actions/test_configure_syscall_buffer_num.cpp
function TEST (line 20) | TEST(ActionConfigureSyscallBufferNum, variable_number_of_CPUs) {
FILE: unit_tests/falco/app/actions/test_load_config.cpp
function TEST (line 22) | TEST(ActionLoadConfig, check_kmod_engine_config) {
function TEST (line 41) | TEST(ActionLoadConfig, check_modern_engine_config) {
FILE: unit_tests/falco/app/actions/test_select_event_sources.cpp
function TEST (line 20) | TEST(ActionSelectEventSources, pre_post_conditions) {
FILE: unit_tests/falco/test_atomic_signal_handler.cpp
function TEST (line 29) | TEST(AtomicSignalHandler, lock_free_implementation) {
function TEST (line 33) | TEST(AtomicSignalHandler, handle_once_wait_consistency) {
function TEST (line 88) | TEST(AtomicSignalHandler, handle_and_reset) {
FILE: unit_tests/falco/test_capture.cpp
function TEST (line 22) | TEST(Capture, generate_scap_file_path_realistic_scenario) {
function TEST (line 36) | TEST(Capture, generate_scap_file_path_lexicographic_ordering) {
function TEST (line 57) | TEST(Capture, generate_scap_file_path_empty_prefix) {
function TEST (line 68) | TEST(Capture, capture_config_disabled_by_default) {
function TEST (line 84) | TEST(Capture, capture_config_enabled_rules_mode) {
function TEST (line 103) | TEST(Capture, capture_config_enabled_all_rules_mode) {
function TEST (line 122) | TEST(Capture, capture_config_invalid_mode) {
FILE: unit_tests/falco/test_configuration.cpp
function TEST (line 34) | TEST(Configuration, configuration_exceptions) {
function TEST (line 45) | TEST(Configuration, configuration_reload) {
function TEST (line 57) | TEST(Configuration, read_yaml_fields) {
function TEST (line 88) | TEST(Configuration, modify_yaml_fields) {
function TEST (line 105) | TEST(Configuration, configuration_webserver_ip) {
FILE: unit_tests/falco/test_configuration_config_files.cpp
function TEST (line 21) | TEST(Configuration, configuration_config_files_secondary_fail) {
function TEST (line 55) | TEST(Configuration, configuration_config_files_ok) {
function TEST (line 126) | TEST(Configuration, configuration_config_files_relative_main) {
function TEST (line 192) | TEST(Configuration, configuration_config_files_override) {
function TEST (line 247) | TEST(Configuration, configuration_config_files_sequence_strategy_default) {
function TEST (line 307) | TEST(Configuration, configuration_config_files_sequence_strategy_append) {
function TEST (line 368) | TEST(Configuration, configuration_config_files_sequence_strategy_overrid...
function TEST (line 429) | TEST(Configuration, configuration_config_files_sequence_strategy_addonly) {
function TEST (line 492) | TEST(Configuration, configuration_config_files_sequence_wrong_strategy) {
function TEST (line 557) | TEST(Configuration, configuration_config_files_unexistent) {
function TEST (line 586) | TEST(Configuration, configuration_config_files_scalar_config_files) {
function TEST (line 631) | TEST(Configuration, configuration_config_files_empty_config_files) {
function TEST (line 662) | TEST(Configuration, configuration_config_files_self) {
function TEST (line 682) | TEST(Configuration, configuration_config_files_directory) {
function TEST (line 754) | TEST(Configuration, configuration_config_files_cmdline) {
FILE: unit_tests/falco/test_configuration_env_vars.cpp
function TEST (line 27) | TEST(Configuration, configuration_environment_variables) {
FILE: unit_tests/falco/test_configuration_output_options.cpp
function TEST (line 21) | TEST(ConfigurationRuleOutputOptions, parse_yaml) {
function TEST (line 82) | TEST(ConfigurationRuleOutputOptions, cli_options) {
FILE: unit_tests/falco/test_configuration_rule_selection.cpp
function TEST (line 21) | TEST(ConfigurationRuleSelection, parse_yaml) {
function TEST (line 51) | TEST(ConfigurationRuleSelection, cli_options) {
function TEST (line 69) | TEST(ConfigurationRuleSelection, cli_options_object) {
FILE: unit_tests/falco/test_configuration_schema.cpp
function TEST (line 32) | TEST(Configuration, schema_validate_config) {
function TEST (line 43) | TEST(Configuration, schema_ok) {
function TEST (line 56) | TEST(Configuration, schema_wrong_key) {
function TEST (line 69) | TEST(Configuration, schema_wrong_type) {
function TEST (line 80) | TEST(Configuration, schema_wrong_embedded_key) {
function TEST (line 93) | TEST(Configuration, plugin_init_config) {
function TEST (line 149) | TEST(Configuration, schema_yaml_helper_validator) {
FILE: unit_tests/test_falco_engine.h
function class (line 11) | class test_falco_engine : public testing::Test {
FILE: userspace/engine/evttype_index_ruleset.h
function tags (line 31) | struct evttype_index_wrapper {
function libsinsp (line 34) | const libsinsp::events::set<ppm_sc_code> &sc_codes() { return m_sc_codes; }
function libsinsp (line 35) | const libsinsp::events::set<ppm_event_code> &event_codes() { return m_ev...
function class (line 43) | class evttype_index_ruleset : public indexable_ruleset<evttype_index_wra...
FILE: userspace/engine/falco_common.h
function runtime_error (line 41) | struct falco_exception : std::runtime_error {
function namespace (line 45) | namespace falco_common {
type std (line 71) | typedef std::unordered_map<std::string, std::pair<std::string, bool>> ex...
FILE: userspace/engine/falco_engine.cpp
function sinsp_version (line 84) | sinsp_version falco_engine::engine_version() {
function fieldclass_key (line 114) | static std::string fieldclass_key(const sinsp_filter_factory::filter_fie...
function sequence_to_json_array (line 465) | inline nlohmann::json sequence_to_json_array(const T &seq) {
function stats_manager (line 847) | const stats_manager &falco_engine::get_rule_stats_manager() const {
function check_plugin_requirement_alternatives (line 897) | static bool check_plugin_requirement_alternatives(
FILE: userspace/engine/falco_engine.h
function class (line 45) | class falco_engine {
FILE: userspace/engine/falco_load_result.h
type error_code (line 29) | enum error_code {
function warning_code (line 51) | enum class warning_code {
FILE: userspace/engine/falco_rule.h
type falco_list (line 30) | struct falco_list {
type falco_macro (line 53) | struct falco_macro {
type falco_rule (line 79) | struct falco_rule {
FILE: userspace/engine/falco_source.h
type falco_source (line 28) | struct falco_source {
function is_valid_lhs_field (line 57) | inline bool is_valid_lhs_field(const std::string& field) const {
FILE: userspace/engine/falco_utils.cpp
type falco (line 59) | namespace falco {
type utils (line 61) | namespace utils {
function parse_prometheus_interval (line 63) | uint64_t parse_prometheus_interval(std::string interval_str) {
function calculate_file_sha256sum (line 140) | std::string calculate_file_sha256sum(const std::string& filename) {
function sanitize_rule_name (line 167) | std::string sanitize_rule_name(const std::string& name) {
function wrap_text (line 177) | std::string wrap_text(const std::string& in, uint32_t indent, uint32...
function hardware_concurrency (line 195) | uint32_t hardware_concurrency() {
function readfile (line 200) | void readfile(const std::string& filename, std::string& data) {
function matches_wildcard (line 215) | bool matches_wildcard(const std::string& pattern, const std::string&...
type network (line 251) | namespace network {
function is_unix_scheme (line 252) | bool is_unix_scheme(const std::string& url) {
FILE: userspace/engine/falco_utils.h
function namespace (line 26) | namespace falco::utils {
FILE: userspace/engine/field_formatter.h
type class (line 27) | enum class
function class (line 32) | class FieldFormatter {
function begin (line 73) | void begin() override;
FILE: userspace/engine/filter_details_resolver.cpp
function get_field_name (line 24) | static inline std::string get_field_name(const std::string& name, const ...
FILE: userspace/engine/filter_details_resolver.h
type filter_details (line 25) | struct filter_details {
function class (line 44) | class filter_details_resolver {
FILE: userspace/engine/filter_macro_resolver.h
function class (line 30) | class filter_macro_resolver {
FILE: userspace/engine/filter_ruleset.h
function class (line 32) | class filter_ruleset {
function class (line 215) | class filter_ruleset_factory {
FILE: userspace/engine/filter_warning_resolver.cpp
function is_unsafe_field (line 26) | static inline bool is_unsafe_field(const std::string& f) {
function is_equality_operator (line 31) | static inline bool is_equality_operator(const std::string& op) {
FILE: userspace/engine/filter_warning_resolver.h
function class (line 32) | class filter_warning_resolver {
FILE: userspace/engine/formats.h
function class (line 24) | class falco_formats {
FILE: userspace/engine/indexable_ruleset.h
function clear (line 52) | void clear() override {
function enabled_count (line 59) | uint64_t enabled_count(uint16_t ruleset_id) override {
function enabled_evttypes (line 67) | void enabled_evttypes(std::set<uint16_t> &evttypes, uint16_t ruleset_id)...
function virtual (line 88) | virtual void enable(const std::string &pattern,
function virtual (line 94) | virtual void disable(const std::string &pattern,
function enable_tags (line 100) | void enable_tags(const std::set<std::string> &tags, uint16_t ruleset_id)...
function disable_tags (line 104) | void disable_tags(const std::set<std::string> &tags, uint16_t ruleset_id...
function run (line 110) | bool run(sinsp_evt *evt, falco_rule &match, uint16_t ruleset_id) override {
function run (line 118) | bool run(sinsp_evt *evt, std::vector<falco_rule> &matches, uint16_t rule...
type std (line 126) | typedef std::list<std::shared_ptr<filter_wrapper>> filter_wrapper_list;
function add_wrapper (line 130) | void add_wrapper(std::shared_ptr<filter_wrapper> wrap) { m_filters.inser...
type std (line 135) | typedef std::function<void(const std::shared_ptr<filter_wrapper> &wrap)>...
function iterate (line 136) | uint64_t iterate(filter_wrapper_func func) {
function enable_disable_tags (line 205) | void enable_disable_tags(const std::set<std::string> &tags, bool enabled...
function class (line 230) | class ruleset_filters {
FILE: userspace/engine/indexed_vector.h
function virtual (line 54) | virtual inline void clear() {
function virtual (line 72) | virtual inline size_t insert(const T& entry, const std::string& index) {
function virtual (line 90) | virtual inline T* at(size_t id) const {
function virtual (line 101) | virtual inline T* at(const std::string& index) const {
FILE: userspace/engine/logger.cpp
function decode_sinsp_severity (line 26) | static sinsp_logger::severity decode_sinsp_severity(const std::string& s) {
type tm (line 125) | struct tm
type tm (line 130) | struct tm
FILE: userspace/engine/logger.h
function class (line 25) | class falco_logger {
FILE: userspace/engine/output_format.h
function output_format (line 20) | enum class output_format { TEXT, MARKDOWN, JSON }
FILE: userspace/engine/rule_loader.cpp
type item_type (line 47) | enum item_type
FILE: userspace/engine/rule_loader.h
function namespace (line 31) | namespace rule_loader {
function warning (line 209) | struct deprecated_field_warning : warning {
type error (line 233) | struct error {
function class (line 249) | class rule_load_exception : public std::exception {
function class (line 266) | class result : public falco::load_result {
type plugin_version_info (line 370) | struct plugin_version_info {
type list_info (line 403) | struct list_info {
type macro_info (line 421) | struct macro_info {
type rule_exception_info (line 440) | struct rule_exception_info {
type rule_info (line 482) | struct rule_info {
type rule_update_info (line 515) | struct rule_update_info {
FILE: userspace/engine/rule_loader_collector.cpp
function is_operator_defined (line 34) | static inline bool is_operator_defined(const std::string& op) {
function define_info (line 40) | static inline void define_info(indexed_vector<T>& infos, T& info, uint32...
function append_info (line 54) | static inline void append_info(T* prev, U& info, uint32_t id) {
function replace_info (line 59) | static inline void replace_info(T* prev, U& info, uint32_t id) {
function validate_exception_info (line 63) | static void validate_exception_info(const falco_source* source,
FILE: userspace/engine/rule_loader_collector.h
function namespace (line 24) | namespace rule_loader {
FILE: userspace/engine/rule_loader_compile_output.h
function namespace (line 25) | namespace rule_loader {
FILE: userspace/engine/rule_loader_compiler.cpp
function quote_item (line 47) | static void quote_item(std::string& e) {
function paren_item (line 53) | static void paren_item(std::string& e) {
function is_operator_for_list (line 59) | static inline bool is_operator_for_list(const std::string& op) {
function is_format_valid (line 64) | static bool is_format_valid(const falco_source& source, std::string fmt,...
function check_deprecated_fields_in_output (line 75) | static void check_deprecated_fields_in_output(const std::string& fmt,
function build_rule_exception_infos (line 93) | static void build_rule_exception_infos(
function resolve_list (line 175) | static bool resolve_list(std::string& cnd, const falco_list& list) {
function resolve_macros (line 233) | static inline void resolve_macros(filter_macro_resolver& macro_resolver,
function parse_condition (line 269) | static std::shared_ptr<ast::expr> parse_condition(std::string condition,
function err_is_unknown_type_or_field (line 346) | static bool err_is_unknown_type_or_field(const std::string& err) {
FILE: userspace/engine/rule_loader_compiler.h
function namespace (line 27) | namespace rule_loader {
FILE: userspace/engine/rule_loader_reader.cpp
function decode_val_generic (line 52) | static void decode_val_generic(const YAML::Node& item,
function decode_val_generic (line 84) | static void decode_val_generic(const YAML::Node& item,
function decode_seq (line 146) | static void decode_seq(const YAML::Node& item,
function decode_items (line 172) | static void decode_items(const YAML::Node& item,
function decode_tags (line 183) | static void decode_tags(const YAML::Node& item, std::set<T>& out, const ...
function decode_tags (line 192) | static void decode_tags(const YAML::Node& item,
function decode_overrides (line 200) | static void decode_overrides(const YAML::Node& item,
function decode_exception_info_entry (line 265) | static void decode_exception_info_entry(const YAML::Node& item,
function decode_exception_fields (line 304) | static void decode_exception_fields(const YAML::Node& item,
function decode_exception_comps (line 311) | static void decode_exception_comps(const YAML::Node& item,
function decode_exception_values (line 319) | static void decode_exception_values(const YAML::Node& item,
function read_rule_exceptions (line 327) | static void read_rule_exceptions(rule_loader::configuration& cfg,
function read_rule_exceptions (line 396) | static void read_rule_exceptions(
function warn_unknown_keys (line 407) | static void warn_unknown_keys(const YAML::Node& item,
function check_update_expected (line 424) | inline static bool check_update_expected(std::set<std::string>& expected...
FILE: userspace/engine/rule_loader_reader.h
function namespace (line 26) | namespace rule_loader {
FILE: userspace/engine/stats_manager.h
function class (line 33) | class stats_manager {
FILE: userspace/engine/yaml_helper.h
function class (line 46) | class yaml_visitor {
function descend (line 66) | void descend(YAML::Node& target) {
function class (line 81) | class yaml_helper {
type config_files_strategy (line 167) | enum config_files_strategy
function else (line 447) | else if(node.IsScalar()) {
function namespace (line 455) | namespace YAML {
FILE: userspace/falco/app/actions/actions.h
function namespace (line 23) | namespace falco {
FILE: userspace/falco/app/actions/configure_interesting_sets.cpp
function extract_base_syscalls_names (line 26) | static void extract_base_syscalls_names(const std::unordered_set<std::st...
function check_for_rules_unsupported_events (line 40) | static void check_for_rules_unsupported_events(
function select_event_set (line 67) | static void select_event_set(falco::app::state& s,
FILE: userspace/falco/app/actions/create_signal_handlers.cpp
function terminate_signal_handler (line 33) | static void terminate_signal_handler(int signal) {
function reopen_outputs_signal_handler (line 37) | static void reopen_outputs_signal_handler(int signal) {
function restart_signal_handler (line 41) | static void restart_signal_handler(int signal) {
function create_handler (line 47) | bool create_handler(int sig, void (*func)(int), run_result& ret) {
FILE: userspace/falco/app/actions/event_formatter.cpp
function is_flag_type (line 25) | static bool is_flag_type(ppm_param_type type) {
type ppm_param_info (line 77) | struct ppm_param_info
type ppm_param_info (line 131) | struct ppm_param_info
FILE: userspace/falco/app/actions/event_formatter.h
type ppm_param_info (line 28) | struct ppm_param_info
type ppm_event_info (line 29) | struct ppm_event_info
function namespace (line 31) | namespace falco {
FILE: userspace/falco/app/actions/helpers.h
function namespace (line 26) | namespace falco {
FILE: userspace/falco/app/actions/helpers_generic.cpp
function format_two_columns (line 114) | static void format_two_columns(std::ostream& os, const std::string& l, c...
FILE: userspace/falco/app/actions/init_falco_engine.cpp
function format_suggested_field (line 26) | static inline std::string format_suggested_field(const filtercheck_field...
function add_suggested_output (line 38) | static void add_suggested_output(const falco::app::state& s,
function configure_output_format (line 61) | void configure_output_format(falco::app::state& s) {
function add_source_to_engine (line 106) | void add_source_to_engine(falco::app::state& s, const std::string& src) {
FILE: userspace/falco/app/actions/init_inspectors.cpp
function init_syscall_inspector (line 29) | static void init_syscall_inspector(falco::app::state& s, std::shared_ptr...
function populate_filterchecks (line 53) | static bool populate_filterchecks(const std::shared_ptr<sinsp>& inspector,
FILE: userspace/falco/app/actions/load_config.cpp
function apply_deprecated_options (line 25) | static falco::app::run_result apply_deprecated_options(const falco::app:...
FILE: userspace/falco/app/actions/print_support.cpp
function read_file (line 31) | static std::string read_file(const std::string& filename) {
function get_sysinfo (line 39) | static int get_sysinfo(nlohmann::json& support) {
function get_sysinfo (line 53) | static int get_sysinfo(nlohmann::json& support) {
FILE: userspace/falco/app/actions/print_syscall_events.cpp
type events_by_category (line 27) | struct events_by_category {
method add_event (line 33) | void add_event(ppm_event_code e, bool available, const std::string& na...
method print_all (line 67) | void print_all(EventFormatter& formatter) {
function get_event_entries_by_category (line 94) | static struct events_by_category get_event_entries_by_category(
type events_by_category (line 131) | struct events_by_category
method add_event (line 33) | void add_event(ppm_event_code e, bool available, const std::string& na...
method print_all (line 67) | void print_all(EventFormatter& formatter) {
FILE: userspace/falco/app/actions/process_events.cpp
class source_sync_context (line 45) | class source_sync_context {
method source_sync_context (line 47) | explicit source_sync_context(falco::semaphore& s):
method finish (line 52) | inline void finish() {
method join (line 65) | inline void join() {
method joined (line 77) | inline bool joined() { return m_joined.load(std::memory_order_seq_cst); }
method finished (line 79) | inline bool finished() { return m_finished.load(std::memory_order_seq_...
type live_context (line 90) | struct live_context {
function do_inspect (line 104) | static falco::app::run_result do_inspect(
function process_inspector_events (line 367) | static void process_inspector_events(
function init_stats_writer (line 433) | static falco::app::run_result init_stats_writer(
FILE: userspace/falco/app/app.h
function namespace (line 24) | namespace falco {
FILE: userspace/falco/app/options.cpp
type falco (line 30) | namespace falco {
type app (line 31) | namespace app {
function parse_output_format (line 33) | static bool parse_output_format(const std::string &format_str,
FILE: userspace/falco/app/options.h
function namespace (line 28) | namespace cxxopts {
function namespace (line 32) | namespace falco {
FILE: userspace/falco/app/restart_handler.cpp
type timeval (line 113) | struct timeval
type inotify_event (line 114) | struct inotify_event
FILE: userspace/falco/app/restart_handler.h
function namespace (line 26) | namespace falco {
FILE: userspace/falco/app/run_result.h
function namespace (line 22) | namespace falco {
FILE: userspace/falco/app/signals.h
function namespace (line 22) | namespace falco {
FILE: userspace/falco/app/state.h
function namespace (line 37) | namespace falco {
FILE: userspace/falco/atomic_signal_handler.h
function namespace (line 24) | namespace falco {
FILE: userspace/falco/configuration.cpp
function config_loaded_res (line 107) | config_loaded_res falco_configuration::init_from_content(
function config_loaded_res (line 124) | config_loaded_res falco_configuration::init_from_file(
type stat (line 313) | struct stat
function split (line 739) | static bool split(const std::string &str, char delim, std::pair<std::str...
FILE: userspace/falco/configuration.h
type class (line 43) | enum class
type class (line 45) | enum class
type std (line 48) | typedef std::map<std::string, std::string> config_loaded_res;
function class (line 50) | class falco_configuration {
FILE: userspace/falco/event_drops.h
function syscall_evt_drop_action (line 30) | enum class syscall_evt_drop_action : uint8_t { DISREGARD = 0, LOG, ALERT...
FILE: userspace/falco/falco.cpp
function display_fatal_err (line 26) | static void display_fatal_err(const std::string &&msg) {
function falco_run (line 40) | int falco_run(int argc, char **argv, bool &restart) {
function main (line 59) | int main(int argc, char **argv) {
FILE: userspace/falco/falco_metrics.cpp
function convert_metric_to_text_prometheus_with_deprecation_notice (line 76) | static std::string convert_metric_to_text_prometheus_with_deprecation_no...
FILE: userspace/falco/falco_metrics.h
function namespace (line 23) | namespace falco::app {
function class (line 27) | class falco_metrics {
FILE: userspace/falco/falco_outputs.h
function class (line 41) | class falco_outputs {
FILE: userspace/falco/falco_semaphore.h
function namespace (line 22) | namespace falco {
FILE: userspace/falco/outputs.h
function namespace (line 26) | namespace falco {
FILE: userspace/falco/outputs_file.h
function namespace (line 24) | namespace falco {
FILE: userspace/falco/outputs_http.cpp
function noop_write_callback (line 23) | static size_t noop_write_callback(void * /*contents*/,
FILE: userspace/falco/outputs_http.h
function namespace (line 24) | namespace falco {
FILE: userspace/falco/outputs_program.h
function namespace (line 22) | namespace falco {
FILE: userspace/falco/outputs_stdout.h
function namespace (line 22) | namespace falco {
FILE: userspace/falco/outputs_syslog.h
function namespace (line 22) | namespace falco {
FILE: userspace/falco/stats_writer.cpp
function timer_handler (line 57) | static void timer_handler(int signum) {
type sigaction (line 69) | struct sigaction
type sigevent (line 78) | struct sigevent
type itimerspec (line 90) | struct itimerspec
type sigaction (line 91) | struct sigaction
type sigevent (line 100) | struct sigevent
type itimerspec (line 116) | struct itimerspec
type sigaction (line 117) | struct sigaction
type sigevent (line 126) | struct sigevent
function add_netinfo_metrics_output_fields (line 279) | void add_netinfo_metrics_output_fields(nlohmann::json& output_fields,
FILE: userspace/falco/stats_writer.h
function class (line 38) | class stats_writer {
FILE: userspace/falco/versions_info.cpp
function get_driver_api_version (line 23) | static std::string get_driver_api_version(const std::shared_ptr<sinsp>& ...
function get_driver_schema_version (line 40) | static inline std::string get_driver_schema_version(const std::shared_pt...
FILE: userspace/falco/versions_info.h
function namespace (line 29) | namespace falco {
FILE: userspace/falco/watchdog.h
function no_deadline (line 35) | const auto no_deadline = time_point{}
function stop (line 53) | void stop() {
function set_timeout (line 63) | inline void set_timeout(std::chrono::milliseconds timeout, _T payload) n...
FILE: userspace/falco/webserver.h
function namespace (line 28) | namespace falco::app {
function class (line 32) | class falco_webserver {
Condensed preview — 276 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,878K chars).
[
{
"path": ".circleci/OWNERS",
"chars": 33,
"preview": "emeritus_approvers:\n - jonahjon\n"
},
{
"path": ".clang-format",
"chars": 907,
"preview": "Language: Cpp\nBasedOnStyle: Google\nAccessModifierOffset: -4\nBreakBeforeBraces: Attach\nAllowAllArgumentsOnNextLine: false"
},
{
"path": ".clang-format-ignore",
"chars": 146,
"preview": "# These files contain some JSON schema definitions that are not C++ code\nuserspace/falco/config_json_schema.h\nuserspace/"
},
{
"path": ".cmake-format.json",
"chars": 8835,
"preview": "{\n\t\"_help_format\": \"Options affecting formatting.\",\n\t\"format\": {\n\t\t\"_help_disable\": [\n\t\t\t\"Disable formatting entirely, m"
},
{
"path": ".codespellignore",
"chars": 19,
"preview": "aks\ncreat\nchage\nro\n"
},
{
"path": ".dockerignore",
"chars": 20,
"preview": "*\n!config/\n!docker/\n"
},
{
"path": ".git-blame-ignore-revs",
"chars": 99,
"preview": "# This commit formatted the Falco code for the first time.\n50b98b30e588eadce641136da85bc94a60eb6a3d"
},
{
"path": ".github/PULL_REQUEST_TEMPLATE.md",
"chars": 2022,
"preview": "<!-- Thanks for sending a pull request! Here are some tips for you:\n1. If this is your first time, please read our cont"
},
{
"path": ".github/dependabot.yml",
"chars": 705,
"preview": "#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you ma"
},
{
"path": ".github/release_template.md",
"chars": 2489,
"preview": "[](https://github.com/falcosecurity/libs/releases/tag/LIBSVER)\n"
},
{
"path": ".github/workflows/bump-libs.yaml",
"chars": 2332,
"preview": "---\nname: Bump Libs\n\non:\n workflow_dispatch:\n schedule:\n - cron: '30 6 * * 1' # on each monday 6:30\n\npermissions:\n "
},
{
"path": ".github/workflows/ci.yml",
"chars": 6367,
"preview": "name: CI Build\non:\n pull_request:\n branches:\n - master\n - release/*\n workflow_dispatch:\n\n# Checks if any "
},
{
"path": ".github/workflows/codeql.yaml",
"chars": 2747,
"preview": "# For most projects, this workflow file will not need changing; you simply need\n# to commit it to your repository.\n#\n# Y"
},
{
"path": ".github/workflows/codespell.yml",
"chars": 439,
"preview": "name: Codespell\non:\n pull_request:\n \npermissions: \n contents: read\n\njobs:\n codespell:\n runs-on: ubuntu-latest\n"
},
{
"path": ".github/workflows/engine-version-weakcheck.yaml",
"chars": 1604,
"preview": "# NOTE: it is UNSAFE to run ANY kind of script when using the pull_request_target trigger!\n# DO NOT TOUCH THIS FILE UNLE"
},
{
"path": ".github/workflows/format.yaml",
"chars": 975,
"preview": "name: Format code\non:\n pull_request:\n push:\n branches:\n - master\n - \"release/**\"\n\npermissions:\n contents"
},
{
"path": ".github/workflows/insecure-api.yaml",
"chars": 761,
"preview": "name: Insecure API check\non:\n pull_request:\n branches:\n - master\n - 'release/**'\n - 'maintainers/**'\n"
},
{
"path": ".github/workflows/master.yaml",
"chars": 2654,
"preview": "name: Dev Packages and Docker images\non:\n push:\n branches: [master]\n\npermissions:\n contents: read\n\n# Checks if any "
},
{
"path": ".github/workflows/release.yaml",
"chars": 7319,
"preview": "name: Release Packages and Docker images\non:\n release:\n types: [published]\n\npermissions:\n contents: read\n\n# Checks "
},
{
"path": ".github/workflows/reusable_build_dev.yaml",
"chars": 3012,
"preview": "# This is a reusable workflow used by the master CI\non:\n workflow_call:\n outputs:\n cmdout:\n description:"
},
{
"path": ".github/workflows/reusable_build_docker.yaml",
"chars": 4097,
"preview": "# This is a reusable workflow used by master and release CI\non:\n workflow_call:\n inputs:\n arch:\n descrip"
},
{
"path": ".github/workflows/reusable_build_packages.yaml",
"chars": 14749,
"preview": "# This is a reusable workflow used by master and release CI\non:\n workflow_call:\n inputs:\n arch:\n descrip"
},
{
"path": ".github/workflows/reusable_fetch_version.yaml",
"chars": 1413,
"preview": "# This is a reusable workflow used by master and release CI\non:\n workflow_call:\n outputs:\n version:\n des"
},
{
"path": ".github/workflows/reusable_publish_docker.yaml",
"chars": 8774,
"preview": "# This is a reusable workflow used by master and release CI\non:\n workflow_call:\n inputs:\n tag:\n descript"
},
{
"path": ".github/workflows/reusable_publish_packages.yaml",
"chars": 5578,
"preview": "# This is a reusable workflow used by master and release CI\non:\n workflow_call:\n inputs:\n version:\n desc"
},
{
"path": ".github/workflows/reusable_test_packages.yaml",
"chars": 2293,
"preview": "# This is a reusable workflow used by master and release CI\non:\n workflow_call:\n inputs:\n arch:\n descrip"
},
{
"path": ".github/workflows/scorecard.yaml",
"chars": 3161,
"preview": "# This workflow uses actions that are not certified by GitHub. They are provided\n# by a third-party and are governed by "
},
{
"path": ".github/workflows/staticanalysis.yaml",
"chars": 1104,
"preview": "name: StaticAnalysis\non:\n pull_request:\npermissions: \n contents: read\n\njobs:\n staticanalysis:\n runs-on: ubuntu-22"
},
{
"path": ".gitignore",
"chars": 59,
"preview": "/build*\n*~\n*.pyc\n\n.vscode/*\n\n*.idea*\nCMakeUserPresets.json\n"
},
{
"path": ".gitmodules",
"chars": 149,
"preview": "[submodule \"submodules/falcosecurity-rules\"]\n\tpath = submodules/falcosecurity-rules\n\turl = https://github.com/falcosecur"
},
{
"path": ".pre-commit-config.yaml",
"chars": 615,
"preview": "# See https://pre-commit.com for more information\n# See https://pre-commit.com/hooks.html for more hooks\nfail_fast: fals"
},
{
"path": ".yamllint.conf",
"chars": 152,
"preview": "extends: default\n\nrules:\n indentation: disable\n document-start: disable\n comments: disable\n line-length: disable\n n"
},
{
"path": "ADOPTERS.md",
"chars": 21125,
"preview": "# Adopters\n\nKnown end users with notable contributions to the project include:\n* AWS\n* IBM\n* Red Hat\n\nFalco is being use"
},
{
"path": "CHANGELOG.md",
"chars": 325478,
"preview": "# Change Log\n\n## v0.43.0\n\nReleased on 2026-01-28\n\n### Breaking Changes :warning:\n\n* fix(userspace)!: show source config "
},
{
"path": "CMakeLists.txt",
"chars": 8506,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "COPYING",
"chars": 11348,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "Contributing.md",
"chars": 7161,
"preview": "# How to contribute\n\n## Enforce coding style 💻\n\n### Introduction\n\nThis document introduces the coding style that will be"
},
{
"path": "LICENSE",
"chars": 11348,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "Makefile",
"chars": 3055,
"preview": "#\n# Copyright (C) 2024 The Falco Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may "
},
{
"path": "OWNERS",
"chars": 221,
"preview": "approvers:\n - mstemm\n - leogr\n - jasondellaluce\n - fededp\n - andreagit97\n - LucaGuerra\n - sgaist\n - ekoops\nrevie"
},
{
"path": "README.md",
"chars": 12599,
"preview": "# Falco\n\n[](https://gi"
},
{
"path": "RELEASE.md",
"chars": 18200,
"preview": "# Falco Release Process\n\n\n## Overview\n\nThis document provides the process to create a new Falco release. In addition, it"
},
{
"path": "brand/README.md",
"chars": 2740,
"preview": "<p align=\"center\"><img src=\"primary-logo.png\" width=\"360\"></p>\n<p align=\"center\"><b>Cloud Native Runtime Security.</b></"
},
{
"path": "cmake/cpack/CMakeCPackOptions.cmake",
"chars": 1926,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/cpack/debian/conffiles",
"chars": 84,
"preview": "/etc/falco/falco.yaml\n/etc/falco/falco_rules.local.yaml\n/etc/falcoctl/falcoctl.yaml\n"
},
{
"path": "cmake/modules/CPackConfig.cmake",
"chars": 3802,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/CompilerFlags.cmake",
"chars": 5230,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/Coverage.cmake",
"chars": 1163,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/cares.cmake",
"chars": 2660,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/copy_files_to_build_dir.cmake",
"chars": 1132,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/cpp-httplib.cmake",
"chars": 1328,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/curl.cmake",
"chars": 3464,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/cxxopts.cmake",
"chars": 1513,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/driver-repo/CMakeLists.txt",
"chars": 1116,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/driver.cmake",
"chars": 2656,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2026 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/falco-version.cmake",
"chars": 1914,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/falcoctl.cmake",
"chars": 1901,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2025 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/falcosecurity-libs-repo/CMakeLists.txt",
"chars": 1109,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/falcosecurity-libs.cmake",
"chars": 4551,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2026 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/gperftools.cmake",
"chars": 4634,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2026 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/jemalloc.cmake",
"chars": 2730,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2025 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/mimalloc.cmake",
"chars": 3490,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2025 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/njson.cmake",
"chars": 1066,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/openssl.cmake",
"chars": 2908,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/rules.cmake",
"chars": 2910,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2025 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/static-analysis.cmake",
"chars": 2497,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "cmake/modules/yaml-cpp.cmake",
"chars": 1066,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "config/falco.container_plugin.yaml",
"chars": 84,
"preview": "# Enable container plugin for linux non musl installation.\nload_plugins: [container]"
},
{
"path": "config/falco.iso8601_timeformat.yaml",
"chars": 66,
"preview": "# Enable iso 8601 time format on docker\ntime_format_iso_8601: true"
},
{
"path": "docker/OWNERS",
"chars": 51,
"preview": "labels:\n - area/integration\napprovers:\n - leogr\n\n"
},
{
"path": "docker/README.md",
"chars": 3786,
"preview": "# Falco Dockerfiles\n\nThis directory contains various ways to package Falco as a container and related tools.\n\n## Current"
},
{
"path": "docker/docker-compose/README.md",
"chars": 772,
"preview": "# Warning\n\nThis environment is provided for demonstration purposes only and does not represent a production ready deploy"
},
{
"path": "docker/docker-compose/config/http_output.yml",
"chars": 268,
"preview": "# [Stable] `http_output`\n#\n# Send logs to an HTTP endpoint or webhook.\n#\n# When using falcosidekick, it is necessary to "
},
{
"path": "docker/docker-compose/docker-compose.yaml",
"chars": 767,
"preview": "version: \"3\"\nservices:\n falco:\n container_name: falco\n cap_drop:\n - all\n cap_add:\n - sys_admin\n "
},
{
"path": "docker/driver-loader/Dockerfile",
"chars": 1616,
"preview": "ARG FALCO_IMAGE_TAG=latest\nFROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian\n\nARG FALCO_COMMIT_SHA\nARG FALCO_"
},
{
"path": "docker/driver-loader/docker-entrypoint.sh",
"chars": 3924,
"preview": "#!/usr/bin/env bash\n# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under"
},
{
"path": "docker/driver-loader-buster/Dockerfile",
"chars": 8203,
"preview": "FROM debian:buster\n\nARG FALCO_COMMIT_SHA\nARG FALCO_VERSION=latest\n\nLABEL org.opencontainers.image.authors='The Falco Aut"
},
{
"path": "docker/driver-loader-buster/docker-entrypoint.sh",
"chars": 3572,
"preview": "#!/usr/bin/env bash\n# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2026 The Falco Authors.\n#\n#\n# Licensed under"
},
{
"path": "docker/falco/Dockerfile",
"chars": 1815,
"preview": "FROM cgr.dev/chainguard/wolfi-base\n\nARG FALCO_COMMIT_SHA\nARG FALCO_VERSION\n\nLABEL org.opencontainers.image.authors='The "
},
{
"path": "docker/falco-debian/Dockerfile",
"chars": 1737,
"preview": "FROM debian:12-slim\n\nARG FALCO_COMMIT_SHA\nARG FALCO_VERSION\n\nLABEL org.opencontainers.image.authors='The Falco Authors h"
},
{
"path": "falco.yaml",
"chars": 62192,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2025 The Falco Authors.\n#\n#\n# Licensed under the Apache License,"
},
{
"path": "proposals/20190826-grpc-outputs.md",
"chars": 4129,
"preview": "# Falco gRPC Outputs\n\n<!-- toc -->\n\n- [Summary](#summary)\n- [Motivation](#motivation)\n * [Goals](#goals)\n * [Non-Goals"
},
{
"path": "proposals/20190909-psp-rules-support.md",
"chars": 3653,
"preview": "# Support for K8s Pod Security Policies (PSPs) in Falco\n\n<!-- toc -->\n\n- [Summary](#summary)\n- [Motivation](#motivation)"
},
{
"path": "proposals/20191030-api.md",
"chars": 3523,
"preview": "# Falco APIs\n\n## Summary\n\nThis is a proposal to better structure the Falco API.\n\nThe Falco API is a set of contracts des"
},
{
"path": "proposals/20191217-rules-naming-convention.md",
"chars": 1970,
"preview": "# Falco rule naming convention\n\n<!-- toc -->\n\n- [Summary](#summary)\n- [Motivation](#motivation)\n * [Goals](#goals)\n * "
},
{
"path": "proposals/20200506-artifacts-scope-part-1.md",
"chars": 6196,
"preview": "# Falco Artifacts Scope - Part 1\n\nThe **Falco Artifact Scope** proposal is divided in two parts:\n1. the Part 1 - *this d"
},
{
"path": "proposals/20200506-artifacts-scope-part-2.md",
"chars": 4616,
"preview": "# Falco Artifacts Scope - Part 2\n\nThe **Falco Artifact Scope** proposal is divided in two parts:\n1. the [Part 1](./20200"
},
{
"path": "proposals/20200818-artifacts-storage.md",
"chars": 4191,
"preview": "# Falco Artifacts Storage\n\nThis document reflects the way we store the Falco artifacts.\n\n## Terms & Definitions\n\n- [Falc"
},
{
"path": "proposals/20200828-structured-exception-handling.md",
"chars": 11419,
"preview": "# Proposal for First Class Structured Exceptions in Falco Rules\n\n## Summary\n\n## Motivation\n\nAlmost all Falco Rules have "
},
{
"path": "proposals/20200901-artifacts-cleanup.md",
"chars": 6015,
"preview": "# Falco Artifacts Cleanup\n\nThis document reflects when and how we clean up the Falco artifacts from their storage locati"
},
{
"path": "proposals/20201025-drivers-storage-s3.md",
"chars": 6535,
"preview": "# Falco Drivers Storage S3\n\nSupersedes: [20200818-artifacts-storage.md#drivers](20200818-artifacts-storage.md#drivers)\n\n"
},
{
"path": "proposals/20210119-libraries-contribution.md",
"chars": 8782,
"preview": "# OSS Libraries Contribution Plan\n\n## Summary\n\nSysdig Inc. intends to donate **libsinsp**, **libscap**, the **kernel mod"
},
{
"path": "proposals/20210501-plugin-system.md",
"chars": 31857,
"preview": "# Plugin System\n\n## Summary\n\nThis is a proposal to create an infrastructure to extend the functionality of the Falco lib"
},
{
"path": "proposals/20221129-artifacts-distribution.md",
"chars": 12713,
"preview": "# Artifacts distribution\n\nThis proposal aims to define guidelines for the official distribution of artifacts published b"
},
{
"path": "proposals/20230511-roadmap-management.md",
"chars": 7526,
"preview": "# Falco Roadmap Management Proposal\n\n## Summary \n\nThis document proposes the introduction of a structured process for ma"
},
{
"path": "proposals/20230620-anomaly-detection-framework.md",
"chars": 18058,
"preview": "# On Host Anomaly Detection Framework - New `anomalydetection` Plugin\n\n## Motivation\n\n**A Wind of Change for Threat Dete"
},
{
"path": "proposals/20231220-features-adoption-and-deprecation.md",
"chars": 18467,
"preview": "# Features Adoption and Deprecation Policies Proposal\n\nThis proposal aims to introduce a balance between maintaining ado"
},
{
"path": "proposals/20251205-multi-thread-falco-design.md",
"chars": 20379,
"preview": "# Multi-Threaded Falco High-Level Design (Working draft)\n\n## Summary\n\nThis document outlines a high-level design for imp"
},
{
"path": "proposals/20251215-legacy-bpf-grpc-output-gvisor-engine-deprecation.md",
"chars": 9376,
"preview": "# Legacy eBPF probe, gVisor libscap engine and gRPC output deprecations\n\n## Summary\n\nThis proposal aims to formalize mot"
},
{
"path": "scripts/CMakeLists.txt",
"chars": 2609,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "scripts/debian/postinst.in",
"chars": 5076,
"preview": "#!/bin/sh\n# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apach"
},
{
"path": "scripts/debian/postrm.in",
"chars": 1293,
"preview": "#!/bin/sh\n# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apach"
},
{
"path": "scripts/debian/prerm.in",
"chars": 1334,
"preview": "#!/bin/sh\n# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apach"
},
{
"path": "scripts/description.txt",
"chars": 192,
"preview": "Falco, the open source cloud-native runtime security project, is the defacto Kubernetes threat detection engine. Falco d"
},
{
"path": "scripts/falcoctl/falcoctl.yaml.in",
"chars": 368,
"preview": "driver:\n type: [@FALCOCTL_DRIVER_TYPES@]\n name: \"@DRIVER_NAME@\"\n repos:\n - \"@DRIVERS_REPO@\"\n version:"
},
{
"path": "scripts/publish-bin",
"chars": 1386,
"preview": "#!/usr/bin/env bash\nset -e\n\nusage() {\n echo \"usage: $0 -f <package.tar.gz> -r <bin|bin-dev> -a <arch>\"\n exit 1\n}\n\n"
},
{
"path": "scripts/publish-deb",
"chars": 7817,
"preview": "#!/usr/bin/env bash\nset -e\n\nusage() {\n echo \"usage: $0 -f <package_x86_64.deb> -f <package_aarch64.deb> -r <deb|deb-d"
},
{
"path": "scripts/publish-rpm",
"chars": 6375,
"preview": "#!/usr/bin/env bash\nset -e\n\nusage() {\n echo \"usage: $0 -f <package_x86_64.rpm> -f <package_aarch64.rpm> -r <rpm|rpm-d"
},
{
"path": "scripts/publish-wasm",
"chars": 772,
"preview": "#!/usr/bin/env bash\nset -e\n\nusage() {\n echo \"usage: $0 -f <package.tar.gz>\"\n exit 1\n}\n\n# parse options\nwhile getop"
},
{
"path": "scripts/rpm/postinstall.in",
"chars": 5313,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apache License,"
},
{
"path": "scripts/rpm/postuninstall.in",
"chars": 1130,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apache License,"
},
{
"path": "scripts/rpm/preuninstall.in",
"chars": 1599,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apache License,"
},
{
"path": "scripts/systemd/falco-custom.service",
"chars": 585,
"preview": "[Unit]\nDescription=Falco: Container Native Runtime Security with custom configuration\nDocumentation=https://falco.org/do"
},
{
"path": "scripts/systemd/falco-kmod-inject.service",
"chars": 254,
"preview": "[Unit]\nDescription=Falco: Container Native Runtime Security with kmod, inject.\nDocumentation=https://falco.org/docs/\nPar"
},
{
"path": "scripts/systemd/falco-kmod.service",
"chars": 697,
"preview": "[Unit]\nDescription=Falco: Container Native Runtime Security with kmod\nDocumentation=https://falco.org/docs/\nAfter=falco-"
},
{
"path": "scripts/systemd/falco-modern-bpf.service",
"chars": 605,
"preview": "[Unit]\nDescription=Falco: Container Native Runtime Security with modern ebpf\nDocumentation=https://falco.org/docs/\nBefor"
},
{
"path": "scripts/systemd/falcoctl-artifact-follow.service",
"chars": 532,
"preview": "[Unit]\nDescription=Falcoctl Artifact Follow: automatic artifacts update service\nDocumentation=https://falco.org/docs/\nPa"
},
{
"path": "semgrep/insecure-api-gets.yaml",
"chars": 1945,
"preview": "# MIT License\n#\n# Copyright (c) 2022 raptor\n#\n# Permission is hereby granted, free of charge, to any person obtaining a "
},
{
"path": "semgrep/insecure-api-sprintf-vsprintf.yaml",
"chars": 2668,
"preview": "# MIT License\n#\n# Copyright (c) 2022 raptor\n#\n# Permission is hereby granted, free of charge, to any person obtaining a "
},
{
"path": "semgrep/insecure-api-strcpy-stpcpy-strcat.yaml",
"chars": 2637,
"preview": "# MIT License\n#\n# Copyright (c) 2022 raptor\n#\n# Permission is hereby granted, free of charge, to any person obtaining a "
},
{
"path": "semgrep/insecure-api-strn.yaml",
"chars": 621,
"preview": "rules:\n - id: falco-insecure-api-strn\n metadata:\n references:\n - https://cwe.mitre.org/data/definitions/"
},
{
"path": "tools/local_hooks/dco-pre-commit-msg.sh",
"chars": 463,
"preview": "#!/bin/bash\n#\n# This is a git pre-commit-msg hook which automatically add a \n# DCO signed-off message if one is missing."
},
{
"path": "unit_tests/CMakeLists.txt",
"chars": 3008,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "unit_tests/README.md",
"chars": 389,
"preview": "# Falco unit tests\n\n## Intro\n\nUnder `unit_tests/engine` and `unit_tests/falco` directories, we have different test suite"
},
{
"path": "unit_tests/engine/test_add_source.cpp",
"chars": 2983,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_alt_rule_loader.cpp",
"chars": 11701,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_enable_rule.cpp",
"chars": 10512,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_extra_output.cpp",
"chars": 3970,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2024 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_falco_utils.cpp",
"chars": 5168,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_filter_details_resolver.cpp",
"chars": 1821,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_filter_macro_resolver.cpp",
"chars": 13381,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_filter_warning_resolver.cpp",
"chars": 1760,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_plugin_requirements.cpp",
"chars": 6400,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/engine/test_rule_loader.cpp",
"chars": 46692,
"preview": "#include <gtest/gtest.h>\n\n#include \"../test_falco_engine.h\"\n#include \"yaml_helper.h\"\n\n#define ASSERT_VALIDATION_STATUS(s"
},
{
"path": "unit_tests/engine/test_rulesets.cpp",
"chars": 7331,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/app/actions/app_action_helpers.h",
"chars": 1147,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/app/actions/test_configure_interesting_sets.cpp",
"chars": 24223,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/app/actions/test_configure_syscall_buffer_num.cpp",
"chars": 1834,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/app/actions/test_load_config.cpp",
"chars": 2167,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/app/actions/test_select_event_sources.cpp",
"chars": 2878,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_atomic_signal_handler.cpp",
"chars": 3631,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_capture.cpp",
"chars": 4577,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_configs/engine_kmod_config.yaml",
"chars": 904,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apache License,"
},
{
"path": "unit_tests/falco/test_configs/engine_modern_config.yaml",
"chars": 938,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n#\n# Licensed under the Apache License,"
},
{
"path": "unit_tests/falco/test_configuration.cpp",
"chars": 6813,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_configuration_config_files.cpp",
"chars": 31804,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_configuration_env_vars.cpp",
"chars": 10214,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_configuration_output_options.cpp",
"chars": 5687,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2024 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_configuration_rule_selection.cpp",
"chars": 3229,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2024 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco/test_configuration_schema.cpp",
"chars": 5692,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "unit_tests/falco_test_var.h.in",
"chars": 293,
"preview": "#pragma once\n\n#define TEST_ENGINE_KMOD_CONFIG \"${CMAKE_SOURCE_DIR}/unit_tests/falco/test_configs/engine_kmod_config.yaml"
},
{
"path": "unit_tests/test_falco_engine.cpp",
"chars": 2964,
"preview": "#include \"test_falco_engine.h\"\n\ntest_falco_engine::test_falco_engine(): m_engine(std::make_shared<falco_engine>()) {\n\t//"
},
{
"path": "unit_tests/test_falco_engine.h",
"chars": 1421,
"preview": "#pragma once\n\n#include \"falco_engine.h\"\n#include \"rule_loader_reader.h\"\n#include \"rule_loader_compiler.h\"\n#include \"rule"
},
{
"path": "userspace/engine/CMakeLists.txt",
"chars": 1542,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
},
{
"path": "userspace/engine/OWNERS",
"chars": 23,
"preview": "labels:\n - area/engine"
},
{
"path": "userspace/engine/evttype_index_ruleset.cpp",
"chars": 3090,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/evttype_index_ruleset.h",
"chars": 2794,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_common.cpp",
"chars": 2386,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_common.h",
"chars": 2365,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_engine.cpp",
"chars": 35042,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_engine.h",
"chars": 19721,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_engine_version.h",
"chars": 1799,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_load_result.cpp",
"chars": 10555,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_load_result.h",
"chars": 4733,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_rule.h",
"chars": 3801,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_source.h",
"chars": 2583,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/falco_utils.cpp",
"chars": 8768,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2016-2018 The Falco Authors.\n\nThis file is part of falco.\n\nLicen"
},
{
"path": "userspace/engine/falco_utils.h",
"chars": 1418,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2016-2018 The Falco Authors.\n\nThis file is part of falco.\n\nLicen"
},
{
"path": "userspace/engine/field_formatter.cpp",
"chars": 3880,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2026 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/field_formatter.h",
"chars": 2887,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2026 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_details_resolver.cpp",
"chars": 3807,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_details_resolver.h",
"chars": 2805,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_macro_resolver.cpp",
"chars": 4265,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_macro_resolver.h",
"chars": 4762,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_ruleset.cpp",
"chars": 868,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2024 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_ruleset.h",
"chars": 8907,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_warning_resolver.cpp",
"chars": 3242,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/filter_warning_resolver.h",
"chars": 2370,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/formats.cpp",
"chars": 6834,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/formats.h",
"chars": 2143,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/indexable_ruleset.h",
"chars": 11604,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2024 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/indexed_vector.h",
"chars": 3698,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/logger.cpp",
"chars": 4470,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/logger.h",
"chars": 1313,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/output_format.h",
"chars": 674,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2026 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_json_schema.h",
"chars": 7190,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2024 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader.cpp",
"chars": 16103,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader.h",
"chars": 16327,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader_collector.cpp",
"chars": 11385,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader_collector.h",
"chars": 3347,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader_compile_output.h",
"chars": 1274,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader_compiler.cpp",
"chars": 21267,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader_compiler.h",
"chars": 3272,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader_reader.cpp",
"chars": 38639,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2025 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loader_reader.h",
"chars": 2783,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/rule_loading_messages.h",
"chars": 1337,
"preview": "#pragma once\n\n////////////////\n// Warnings\n////////////////\n\n#define WARNING_APPEND "
},
{
"path": "userspace/engine/stats_manager.cpp",
"chars": 2318,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/stats_manager.h",
"chars": 2309,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/engine/yaml_helper.h",
"chars": 14379,
"preview": "// SPDX-License-Identifier: Apache-2.0\n/*\nCopyright (C) 2023 The Falco Authors.\n\nLicensed under the Apache License, Vers"
},
{
"path": "userspace/falco/CMakeLists.txt",
"chars": 5703,
"preview": "# SPDX-License-Identifier: Apache-2.0\n#\n# Copyright (C) 2023 The Falco Authors.\n#\n# Licensed under the Apache License, V"
}
]
// ... and 76 more files (download for full content)
About this extraction
This page contains the full source code of the falcosecurity/falco GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 276 files (1.7 MB), approximately 458.1k tokens, and a symbol index with 414 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.